Re: lcamtuf on the recent xz debacle

Thu, 04 Apr 2024 18:59:12 -0700 

Katherine Mcmillan <kmcmi...@uottawa.ca> writes:
I have seen the following comment, or similar, in several articles now: 
"On Friday, a lone Microsoft developer rocked the world when he
revealed a
backdoor<https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/>
had been intentionally planted in xz Utils, an open source data
compression utility available on almost all installations of Linux and 
other Unix-like operating systems."
https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
There are a couple of problems with this statement, but I just want to focus in on the "almost all installations of Linux and other Unix-like 
operating systems" part.  From my understanding, it is certainly
almost all installations of Linux​, but the "and other Unix-like
operating systems" doesn't seem founded. From what I understand, this backdoor would not affect any flavour of *BSD, or of illumos for that matter (ex. smartOS), or QNX, or Solaris. Just for clarity, does anyone know what "Unix-like operating systems" would be affected by 
this?
The quoted passage states the platforms on which xz-utils is available; it doesn't explicitly say that all of those platforms are affected by this specific backdoor (though i acknowledge the passage can be read in a way that implies that). Indeed, not even all Linux platforms are affected: the backdoor specifically targets RPM- and DEB-based systems. In addition to the detailed writeup in Christian's message, there's also one by Russ Cox: 

 https://research.swtch.com/xz-script
(Who has also put together a timeline: https://research.swtch.com/xz-timeline)
However, even though _this _particular backdoor_ only affects (a subset of) Linux platforms, there's the broader concern that the _project_ was 'socially' backdoored - a project involving a piece of software that's available for a wide variety of platforms, and relatively deep in a number of stacks. (Although, on the technical side, the versions of xz-utils since the malfeasant got involved, but prior to the confirmed-backdoored versions, are being looked at carefully.) 


Alexis.

Reply via email to