Comments by "Gilad Barlev" (@GSBarlev) on "The XZ Linux Backdoor Is Incredibly BAD!!" video.

  1. Just finished my systems audit. As expected, half (Debian, elementary and SteamOS) were using an old xz (5.2), and the other half are Arch, which don't build from source tars. Looks like very few real-world systems were actually compromised, thanks to how quickly this was caught. Thanks for covering this, Brodie!
    49
  2. Guy mostly works on Postgres. Compared to DB vulnerabilities, running point on this probably didn't even raise his blood pressure.
    28
  3. Three weeks puts you in the range of having an affected version, but because PKGBUILD scripts clone the repos instead of downloading the source tars, you should be fine regardless.
    8
  4. What makes you think any anti-malware tool would have detected this when the distros' own build tools didn't?
    5
  5. Haha, yep. Just did an audit of my systems. Half are on LTS distros, and the other half are Arch, which doesn't build from source tars. Reading up on this, it looks like it compromised basically zero real-world systems due to how quickly it was caught.
    4
  6. Arch build 5.6.1-2 is fine. Arch also shouldn't be affected generally because PKGBUILDs clone the repos.
    3
  7.  @soulstenance  I'm not 💯 about the "don't download release tars" thing, but Arch's announcement said that they don't directly link openssh to liblzma (thus blocking this attack vector).
    3
  8. Hilariously, because this wasn't in any stable releases, the only "production" systems to be affected by this are... macOS system running Homebrew. Now that I type that out, I really hope Tim Apple doesn't get wind of it, lest he try to crack down on macOS "sideloading"
    2
  9.  @ArbitraryCodeExecution  Well I'm apparently wrong about the cloning being the standard practice anyway—still, Arch says they're not vulnerable because they don't link openssh to liblzma. 🤷‍♂️
    2
  10. My guess that whatever country this guy lives him isn't in any rush to arrest or extradite him.
    2
  11.  @terminalvelocity4858  PKGBUILD scripts are still how Arch packages get built.
    1
  12. Per the Arch announcement, 5.6.1-2 (and above) are fine. As Brodie mentioned, Arch does not directly link openssh to liblzma, and thus this attack vector is not possible—the new build is out of "an abundance of caution."
    1
  13. ​ @SeekingTheLoveThatGodMeans7648 Strange times indeed. Though maybe it's helpful for one's psyche to call Freund a Postgres developer who gets a paycheck from Microsol. Don't forget that Redmond runs GitHub and employs Guido van Rossum, along with dozens of other FOSS luminaries.
    1
  14. ​ @insu_na I thought PKGBUILDs cloned the repos. I assumed the 5.6.1-2 builds were just scrubbing the dormant payloads.
    1