[Latty]

According to Arch: "openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma. Arch does not directly link openssh to liblzma", so at least one of your examples is wrong. That specific vulnerability was not in Arch.

The xz package was potentially vulnerable (although not in reality because "the build script was configured to only inject the bad code in Debian/Fedora based package build environments", while this was a choice by the attacker, it's still true the vulnerability wasn't there), but patching OpenSSH made OpenSSH specifically vulnerable when used with a malicious xz install.

https://archlinux.org/news/the-xz-package-has-been-backdoore...

[cassianoleal]

Right... I may have wrongly named Arch in my comment. Thanks for the correction.

I'm curious about Arch's claim that "the build script was configured to only inject the bad code in Debian/Fedora based package build environments". Were Debian and Fedora specifically targetted, and the other distros who also got affected just happened to use similar packaging routines, or is this claim a guess?

[csande17]

The malicious build script included heuristics to only include the backdoor if you were building a .deb or .rpm package (the Debian and Fedora formats respectively). Other distros would have been affected if they used the same packaging setup -- Ubuntu also uses .deb, for example, because it's based on Debian.

And some distros IIRC considered themselves "affected" if they ever used a malicious version of the code, just in case, even if the backdoor didn't actually get compiled in to their version.

[cassianoleal]

It's odd to call RPM the "Fedora" format. It literally means Red Hat Package Manager [0]. Well, at least it used to, according to Wikipedia. :D

It's true that Red Hat now owns Fedora, but the adoption went the other way around.

[0] https://en.wikipedia.org/wiki/RPM_Package_Manager

[throwup238]

Me too, especially since many packages on Arch begin by downloading the official .deb/.rpm

[saghm]

Does this happen for official packages or just the AUR? I was pretty sure that when possible they build the packages from source themselves rather than bundling pre-existing binaries, and I'd assume that they wouldn't likely have the sources in the final package. IIRC Debian doesn't even like to bundle the headers in with libraries in preference of splitting them off into a separate file, so I'd be kind of shocked if they put the entire source of each library in the .deb files they distribute.

[grawlinson]

Arch package maintainer here; we generally encourage building from source for packages provided by the official repositories. As far as I know, we only ship pre compiled binaries if there is no source available, i.e. commercial programs such as reaper.

[saghm]

Awesome, that's pretty much exactly what I had thought

[tetha]

>"openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma. Arch does not directly link openssh to liblzma", so at least one of your examples is wrong. That specific vulnerability was not in Arch.

This is such a weird formulation though, because "other distributions" apparently included insignificant parts of the linux landscape like Fedora (i.e. the testing variant of the RedHat world) and SUSE.

And if the three largest upstream distris in the linux world have this mistake, calling that "Well some distris, but screw mostly Debian" doesn't sound like a strong point.

[Latty]

I wasn't claiming Debian were somehow singularly at fault, the poster just specifically said Arch was also vulnerable, which wasn't true.