1. Forum
  2. FidoNet
  3. linux.debian.project

  • Question about XZ backdoor & compression

    From William Richards #SaveOurInternet@3:633/10 to All on Sunday, December 28, 2025 01:10:01
    Hello Debian (and RedHat),
    I am wondering if anyone ended up compressing (or considered compressing)
    their software with XZ Utils before the latest Debian build at the time of
    the backdoor's discovery was released. Are they allowed to do that? Has any developer considered it at one point?
    Also:
    - Does the backdoor target systems *during* compression tasks/builds with
    lzma or does it target systems after a package is built and when said
    package is running?
    - how does the infected liblzma library affect OpenSSH & systemd when these
    2 programs use the original lzma library in XZ Utils? Does the destination
    of the lzma library just change after a compression task is completed? Is
    it okay to run an application with the infected library if said infected library is in a different destination from the original so the only way the original can be affected is performing a specific compression task with XZ Utils?
    (Basically, do you have to do a manual, non-automatic, man-done task to activate the backdoor?)
    I've done as much research as I can but I can't find any concrete answers
    to these particular questions so I figured contacting you guys about this
    would work.
    I've tried to make sure that this backdoor wouldn't negatively affect any critical infrastructure that depends on Linux such as the public cloud
    workload for example.
    Also I don't seem to have any information on how Linux operates in data
    centers other than "Data centers around the world are largely built on
    Linux". No mentions of OpenSSH at all.
    I?m still concerned though - if data centers were to be affected by this I highly suggest trying to reach out to governments about open source
    security and by keeping in touch with me, I have a large list of critical
    open source projects (e.g. Cloudflare, Nginx, Core-JS, ImageMagick, etc.)
    that should get support.


    --- PyGate Linux v1.5.2
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)
  • From tomas@3:633/10 to All on Sunday, December 28, 2025 09:40:01
    On Sat, Dec 27, 2025 at 11:59:27PM +0000, William Richards #SaveOurInternet wrote:
    Hello Debian (and RedHat),
    I am wondering if anyone ended up compressing (or considered compressing) their software with XZ Utils before the latest Debian build at the time of the backdoor's discovery was released. Are they allowed to do that? Has any developer considered it at one point?
    Also:
    [...]
    That thing has been described extensively. I don't understand why
    you are posing this questions.
    Have you read, e.g.
    https://en.wikipedia.org/wiki/Xz_backdoor#Mechanism
    Do you have any reasons to believe that this exploit has targeted
    anything else than the patched-for-systemd sshd server variants?
    Remember: for stealthiness, the exploit was injected during the
    "make test" phase, thus avoiding being seen directly in the source
    code. It checked whether it was "in" the mentioned SSH patch.
    (As a side note, this "indirect deploy during the build process"
    has gained some tradition in the wild, as can be seen in [1].
    This is interesting, because Ken Thompson demonstrated this
    pattern already 1984 [2]. Sometimes, industry moves slowly)
    Cheers
    [1] https://lwn.net/Articles/773121/
    [2] https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
    --
    t


    --- PyGate Linux v1.5.2
    * Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)