Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://nya.social/notes/818e8c0dc624928852870c91">linear cannon (linear@nya.social)'s status on Saturday, 30-Mar-2024 06:19:49 JST</a><a href="https://nya.social/@linear" title="linear@nya.social"><img src="https://gnusocial.jp/avatar/86471-48-20230109090422.webp" width="48" height="48" alt="linear cannon" style="position: absolute; left: 0; top: 0;">linear cannon</a></section><article><p>if you're looking at the lzma thing and trying to figure out if you should be concerned, and if you can do anything about it:<br><br>the answers are definitely yes, and probably not much, respectively<br><br>this is one of those 'off the charts' sorts of scenarios, because the impact isn't just the vulnerability itself (a remote ssh backdoor on some systems), it's that it was seemingly inserted intentionally into this library which exists on every linux distro <i>by one of the maintainers of the library</i>, in signed commits, with very thorough attempts to obfuscate it, and with what appears to be active efforts to mask side effects when they were noticed.<br><br>so even if your system did not fit the criteria that we believe are necessary to trigger that backdoor and/or you have reverted to an older version that didn't have the final piece, you are <i>still running code written by the person who intentionally added that backdoor</i>.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2879489#notice-5721105">In conversation</a><time datetime="2024-03-30T06:19:49+09:00" title="Saturday, 30-Mar-2024 06:19:49 JST">about 8 months ago</time> <span>from <span><a href="https://nya.social/notes/818e8c0dc624928852870c91" rel="external" title="Sent from nya.social via ActivityPub">nya.social</a></span></span><a href="https://nya.social/notes/818e8c0dc624928852870c91">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
linear cannon (linear@nya.social)'s status on Saturday, 30-Mar-2024 06:19:49 JST linear cannon
if you're looking at the lzma thing and trying to figure out if you should be concerned, and if you can do anything about it:

the answers are definitely yes, and probably not much, respectively

this is one of those 'off the charts' sorts of scenarios, because the impact isn't just the vulnerability itself (a remote ssh backdoor on some systems), it's that it was seemingly inserted intentionally into this library which exists on every linux distro by one of the maintainers of the library, in signed commits, with very thorough attempts to obfuscate it, and with what appears to be active efforts to mask side effects when they were noticed.

so even if your system did not fit the criteria that we believe are necessary to trigger that backdoor and/or you have reverted to an older version that didn't have the final piece, you are still running code written by the person who intentionally added that backdoor.
In conversationabout 8 months ago from nya.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice