Re: backdoor in upstream xz/liblzma leading to ssh server compromise

[Alex Gaynor <alex.gaynor () gmail com>]

On Fri, Mar 29, 2024 at 1:07 PM Andres Freund <andres () anarazel de> wrote:
> Hi Alex,
>
> (I was not subscribed to oss-security and not CCed, so I only got your email
> from the archive, not sure if I got the In-Reply-To etc right. Subscribed
> now.)

Your email came through.

> > Thanks for writing this up. Just to make sure I understand the action
> > item here: folks who are building their own xz, should switch to a
> > release prior to 5.6.0, as those are the only ones known to be
> > unaffected?
>
> If you are building your own xz you might not be affected, due to either the
> debian/ directory needing to exist, or $RPM_ARCH needing to be
> set. Furthermore, if you build from git, rather than the distributed tarballs,
> the backdoor code won't be injected into the build, even if present in the
> repository. Similar if you build with cmake, I think.
>
> However, I personally would still downgrade, even if likely not affected due
> to the above.
>
> Greetings,
>
> Andres Freund

Thanks for confirming, and indeed I'm taking a better safe than sorry approach.

Alex

-- 
All that is necessary for evil to succeed is for good people to do nothing.