Katherine Mcmillan <kmcmi...@uottawa.ca> writes:
I have seen the following comment, or similar, in several
articles now:
"On Friday, a lone Microsoft developer rocked the world when he
revealed a
backdoor<https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/>
had been intentionally planted in xz Utils, an open source data
compression utility available on almost all installations of
Linux and
other Unix-like operating systems."
https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
There are a couple of problems with this statement, but I just
want to
focus in on the "almost all installations of Linux and other
Unix-like
operating systems" part. From my understanding, it is certainly
almost all installations of Linux​, but the "and other Unix-like
operating systems" doesn't seem founded. From what I
understand, this
backdoor would not affect any flavour of *BSD, or of illumos for
that
matter (ex. smartOS), or QNX, or Solaris. Just for clarity,
does
anyone know what "Unix-like operating systems" would be affected
by
this?
The quoted passage states the platforms on which xz-utils is
available; it doesn't explicitly say that all of those platforms
are affected by this specific backdoor (though i acknowledge the
passage can be read in a way that implies that). Indeed, not even
all Linux platforms are affected: the backdoor specifically
targets RPM- and DEB-based systems. In addition to the detailed
writeup in Christian's message, there's also one by Russ Cox:
https://research.swtch.com/xz-script
(Who has also put together a timeline:
https://research.swtch.com/xz-timeline)
However, even though _this _particular backdoor_ only affects (a
subset of) Linux platforms, there's the broader concern that the
_project_ was 'socially' backdoored - a project involving a piece
of software that's available for a wide variety of platforms, and
relatively deep in a number of stacks. (Although, on the technical
side, the versions of xz-utils since the malfeasant got involved,
but prior to the confirmed-backdoored versions, are being looked
at carefully.)
Alexis.