• DefederateLemmyMl
    link
    fedilink
    English
    arrow-up
    2
    ·
    7 months ago

    In the case of Arch the backdoor also wasn’t inserted into liblzma at all, because at build time there was a check to see if it’s being built on a deb or rpm based system, and only inserts it in those two cases.

    See https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27 for an analysis of the situation.

    So even if Arch built their xz binaries off the backdoored tarball, it was never actually vulnerable.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      I just know there is a lot of uncertainty. Maybe a complete wipe is a over reaction but it is better to be safe