Arch already addressed it by switching the source from the release tarball to the git tag with xz 5.6.1-2. It’s currently available in the Manjaro unstable branch. I’ll fast-track it to our testing & stable branches here shortly.
I don’t know much about packaging, but some people on the hackernews post claimed the backdoor only affects debian / rpm distributions because of some extra patching they do on the ssh daemon. I don’t know how to verify if these claims are true, so it’s better to wait until a manjaro maintainer confirms if we are safe or not.
For what it’s worth, ldd `which sshd` does not include liblzma on Manjaro ARM (presumably also not on Manjaro x86), so at least the packaged sshd is not affected by the backdoor.
Also, almost everything I’ve been reading implies that it is just OpenSSH that is effected. If that is the case, then the sky isn’t falling, but there sure are a lot of packages that rely on xz.
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
…and now i see 5.6.1 is being pushed to the repos, however it seems that contains the malicious code also???
XZ 5.6 debuted one month ago and XZ 5.6.1 came out three weeks ago. As of writing, no XZ 5.6.2 or similar released version is yet available with the malicious code removed.
admittedly i’m the dummy here, but it looks to me like this is not distro dependent
It’s very simple, just read the official Arch Linux post that @Yochanan linked above instead of random sites.
Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. You can confirm this by issuing the following command:
ldd "$(command -v sshd)"
However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.
For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited. Due to the sophisticated nature of the backdoor an on-system detection of a breach is likely not possible.
