473
Arch with XZ (lemmy.world)
submitted 7 months ago by qwioeue@lemmy.world to c/linuxmemes@lemmy.world
top 50 comments
sorted by: hot top controversial new old
[-] zephr_c@lemm.ee 121 points 7 months ago

OpenSUSE Tumbleweed has it. The Fedora 40 beta has it. Its just a result of being bleeding edge. Arch doesn't have exclusive rights to that.

[-] fl42v@lemmy.ml 117 points 7 months ago

Incorrect: the backdoored version was originally discovered by a Debian sid user on their system, and it presumably worked. On arch it's questionable since they don't link sshd with liblzma (although some say some kind of a cross-contamination may be possible via a patch used to support some systemd thingy, and systemd uses liblzma). Also, probably the rolling opensuse, and mb Ubuntu. Also nixos-unstalbe, but it doesn't pass the argv[0] requirements and also doesn't link liblzma. Also, fedora.

Btw, https://security.archlinux.org/ASA-202403-1

[-] SpaceCowboy@lemmy.ca 17 points 7 months ago

Sid was that dickhead in Toystory that broke the toys.

If you're running debian sid and not expecting it to be a buggy insecure mess, then you're doing debian wrong.

[-] mexicancartel@lemmy.dbzer0.com 5 points 7 months ago

Fedora and debian was affected in beta/dev branch only, unlike arch

load more comments (2 replies)
[-] lemmyvore@feddit.nl 91 points 7 months ago

I thought Arch was the only rolling distro that doesn't have the backdoor. Its sshd is not linked with liblzma, and even if it were, they compile xz directly from git so they wouldn't have gotten the backdoor anyway.

[-] angel@iusearchlinux.fyi 30 points 7 months ago

TBF they only switched to building from git after they were notified of the backdoor yesterday. Prior to that, the source tarball was used.

[-] qwioeue@lemmy.world 21 points 7 months ago* (last edited 7 months ago)

liblzma is the problem. sshd is just the first thing they found that it is attacking. liblzma is used by firefox and many other critical packages.

[-] Rustmilian@lemmy.world 32 points 7 months ago

Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:

ldd "$(command -v sshd)"
[-] qwioeue@lemmy.world 7 points 7 months ago* (last edited 7 months ago)

Yes, this sshd attack vector isn't possible. However, they haven't decomposed the exploit and we don't know the extent of the attack. The reporter of the issue just scratched the surface. If you are using Arch, you should run pacman right now to downgrade.

[-] Fubarberry@sopuli.xyz 36 points 7 months ago

They actually have an upgrade fix for it, at least for the known parts of it. Doing a standard system upgrade will replace the xz package with one with the known backdoor removed.

[-] HopFlop@discuss.tchncs.de 15 points 7 months ago

If you are using Arch, you should run pacman right now to downgrade.

No, just update. It's already fixed. Thats the point of rolling release.

[-] Trail@lemmy.world 4 points 7 months ago

Bold of you to assume I hare upgraded in the first place.

load more comments (1 replies)
load more comments (1 replies)
[-] qupada@kbin.social 11 points 7 months ago* (last edited 7 months ago)

Interestingly, looking at Gentoo's package, they have both the github and tukaani.org URLs listed:

https://github.com/gentoo/gentoo/blob/master/app-arch/xz-utils/xz-utils-5.6.1.ebuild#L28

From what I understand, those wouldn't be the same tarball, and might have thrown an error.

load more comments (1 replies)
[-] observantTrapezium@lemmy.ca 88 points 7 months ago
[-] possiblylinux127@lemmy.zip 5 points 7 months ago

It is not entirely clear either this exploit can affect other parts of the system. This is one those things you need to take extremely seriously

load more comments (2 replies)
[-] germanatlas@lemmy.blahaj.zone 86 points 7 months ago

most stable

How the hell is arch more stable than Debian?

[-] chrash0@lemmy.world 11 points 7 months ago

i think it’s a matter of perspective. if i’m deploying some containers or servers on a system that has well defined dependencies then i think Debian wins in a stability argument.

for me, i’m installing a bunch of experimental or bleeding edge stuff that is hard to manage in even a non LTS Debian system. i don’t need my CUDA drivers to be battle tested, and i don’t want to add a bunch of sketchy links to APT because i want to install a nightly version of neovim with my package manager. Arch makes that stuff simple, reliable, and stable, at least in comparison.

[-] laurelraven@lemmy.blahaj.zone 8 points 7 months ago

"Stable" doesn't mean "doesn't crash", it means "low frequency of changes". Debian only makes changing updates every few years, and you can wait a few more years before even taking those changes without losing security support while Arch makes changing updates pretty much every time a package you have installed does.

In no way is Arch more stable than Debian (other than maybe Debian Unstable/Sid, but even then it's likely a bit of a wash)

load more comments (1 replies)
[-] Shareni@programming.dev 6 points 7 months ago

Just Arch users being delusional. Every recent thread that had Arch mentioned in the comments has some variation of "Arch is the most stable distro" or "Stable distros have more issues than Arch".

load more comments (19 replies)
[-] Allero@lemmy.today 66 points 7 months ago* (last edited 7 months ago)

Arch is not vulnerable to this attack vector. Fedora Rawhide, OpenSUSE Tumbleweed and Debian Testing are.

[-] possiblylinux127@lemmy.zip 8 points 7 months ago

Notice normal distros aren't affected

load more comments (6 replies)
[-] carl@upload.chat 52 points 7 months ago* (last edited 7 months ago)

Arch has already updated XZ by relying on the source code repository itself instead of the tarballs that did have the manipulations in them.

It's not ideal since we still rely on a potentially *otherwise* compromised piece of code still but it's a quick and effective workaround without massive technical trouble for the issue at hand.

[-] A_Very_Big_Fan@lemmy.world 4 points 7 months ago

instead of the tarballs that did have the manipulations in them

My only exposure to Linux is SteamOS so I might be misunderstanding something, but if not:

How in the world did it get infected in the first place? Do we know?

[-] khannie@lemmy.world 8 points 7 months ago

From what I read it was one of the contributors. Looks like they have been contributing for some time too before trying to scooch in this back door. Long con.

[-] dan@upvote.au 9 points 7 months ago

It seems like this contributor had malicious intent the entire time they worked on the project. https://boehs.org/node/everything-i-know-about-the-xz-backdoor

load more comments (1 replies)
[-] HopFlop@discuss.tchncs.de 4 points 7 months ago

Basically, one of the contributors that had been contributing for quite some time (and was therefore partly trusted), commited a somewhat hidden backdoor. I doubt it had any effect (as it was discovered now before being pushed to any stable distro and the exploit itself didnt work on Arch) bjt we'll have to wait for the effect to be analyzed.

[-] RegalPotoo@lemmy.world 49 points 7 months ago

https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

There are no known reports of those versions being incorporated into any production releases for major Linux distributions, but both Red Hat and Debian reported that recently published beta releases used at least one of the backdoored versions [...] A stable release of Arch Linux is also affected. That distribution, however, isn't used in production systems.

Ouch

[-] RegalPotoo@lemmy.world 26 points 7 months ago

Also,

Arch is the most stable

Are you high?

[-] Kata1yst@kbin.social 13 points 7 months ago

I think the confusion comes from the meaning of stable. In software there are two relevant meanings:

  1. Unchanging, or changing the least possible amount.

  2. Not crashing / requiring intervention to keep running.

Debian, for example, focuses on #1, with the assumption that #2 will follow. And it generally does, until you have to update and the changes are truly massive and the upgrade is brittle, or you have to run software with newer requirements and your hacks to get it working are brittle.

Arch, for example, instead focuses on the second definition, by attempting to ensure that every change, while frequent, is small, with a handful of notable exceptions.

Honestly, both strategies work well. I've had debian systems running for 15 years and Arch systems running for 12+ years (and that limitation is really only due to the system I run Arch on, rather than their update strategy.

It really depends on the user's needs and maintenance frequency.

load more comments (6 replies)
[-] MonkderZweite@feddit.ch 17 points 7 months ago* (last edited 7 months ago)

A stable release of Arch Linux is

not a thing.

Ars uses AI now?

[-] yukiat@lemmy.world 46 points 7 months ago* (last edited 7 months ago)

Bro WTF. How about you actually read up on the backdoor before slandering Arch. The backdoor DOES NOT affect Arch.

[-] starman@programming.dev 45 points 7 months ago* (last edited 7 months ago)

It has the freshest packages, ahead of all distros

Let me introduce you to Nixpkgs. Its packages are "fresher" than Arch's by a large margin. Even on stable channels.

https://repology.org/repositories/statistics/newest

load more comments (3 replies)
[-] jlh@lemmy.jlh.name 19 points 7 months ago
[-] tubaruco@lemm.ee 13 points 7 months ago
[-] mlg@lemmy.world 26 points 7 months ago

Very common compression utility for LZMA (.xz file)

Similar to .gzip, .zip, etc.

[-] dan@upvote.au 4 points 7 months ago* (last edited 7 months ago)

It's definitely common, but zstd is gaining on it since in a lot of cases it can produce similarly-sized compressed files but it's quicker to decompress them. There's still some cases where xz is better than zstd, but not very many.

[-] teegus@sh.itjust.works 18 points 7 months ago

People doesn't even know what ~~a rootkit~~ XZ is, why should they care? -Sony CEO probably

[-] Sibbo@sopuli.xyz 12 points 7 months ago

Arch users are really just cannon fodder against supply chain attacks.

[-] Static_Rocket@lemmy.world 5 points 7 months ago

We're the front line dog. Strike me down so Debian Stable's legacy may live on.

[-] eya@lemmy.dbzer0.com 5 points 7 months ago

void doesnt have it :3

[-] JATtho@lemmy.world 4 points 7 months ago* (last edited 7 months ago)

I just did: "rm -rf xz"

pacman -Syu
find / -name "*xz*"  | sort | grep -e '\.xz$' | xargs -o -n1 rm -i 
pacman -Qqn | pacman -S -

(and please, absolutely don't run above as root. Just don't.) I carefully answered to retain any root owned files and my backups, despite knowing the backdoor wasn't included in the culprit package. This system has now "un-trusted" status, meaning I'll clean re-install the OS, once the full analysis of the backdoor payload is available.

Edit: I also booted the "untrusted" system without physical access to the web, no gui, and installed the fixed package transferred to it locally. (that system is also going to be dd if=/dev/zero'd)

load more comments
view more: next ›
this post was submitted on 30 Mar 2024
473 points (84.3% liked)

linuxmemes

21160 readers
1888 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.

  • Please report posts and comments that break these rules!

    founded 1 year ago
    MODERATORS