Should we be worried about the xz backdoor?

[d4r1us-drk]

As far as I know, Void Linux shouldn't be affected by this even if we are building xz & liblzma from the release tarballs (which we are), because according to Andres Freund here.

openssh does not directly use liblzma. However debian and several other
distributions patch openssh to support systemd notification, and libsystemd
does depend on lzma.

Right now Void is shipping version 5.6.0 (which is an affected version) with #49444 to bump it to 5.6.1. Should we downgrade?

[d4r1us-drk]

The Arch guys said this too here:

Arch does not directly link openssh to liblzma, and thus this attack vector is not possible. ... However, out of an abundance of caution, we advise users to remove the malicious code from their system by upgrading either way. This is because other yet-to-be discovered methods to exploit the backdoor could exist.

[d4r1us-drk]

For more info here are the links:

RedHat Report: https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Debian Report: https://lists.debian.org/debian-security-announce/2024/msg00057.html
CVE: https://access.redhat.com/security/cve/CVE-2024-3094

[classabbyamp]

Right now Void is shipping version 5.6.0 (which is an affected version) with #49444 to bump it to 5.6.1.

no we are not

void's sshd (or its dependencies) do not link against liblzma, so under the current knowledge, the attack is not possible.

[d4r1us-drk]

Didn't see that there was a commit to reverse to 5.4.X, yesterday I made an install and I saw 5.6.0, glad to see it was fixed very quickly

[d4r1us-drk]

I guess if we stay in the 5.4 series we won't have an issue, so I'm closing for now.