== Affected Systems ==
Running as part of a debian or RPM package build:
if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then
...
openssh does not directly use liblzma. However debian and several other
distributions patch openssh to support systemd notification, and libsystemd
does depend on lzma.
Initially starting sshd outside of systemd did not show the slowdown, despite
the backdoor briefly getting invoked. This appears to be part of some
countermeasures to make analysis harder.
Observed requirements for the exploit:
a) TERM environment variable isnotset
b) argv[0] needs to be /usr/sbin/sshd
c) LD_DEBUG, LD_PROFILE are notset
d) LANG needs to be set
e) Some debugging environments, like rr, appear to be detected. Plain gdb
appears to be detected in some situations, but not others
So if you were using Arch, you were unaffected by this vulnerability because
the script wouldn’t trigger because it uses neither DEB nor RPM packages
even if it had triggered, the backdoor only gets activated when the calling binary is /usr/sbin/sshdwhich doesn’t happen in Arch because they don’t patch OpenSSH to support systemd (which in turn pulls in xz).
This doesn’t mean that Arch saved you because it’s super secure or anything, but this was a supply chain attack that hit Arch (and Debian Sid, where the backdoor was actually caught because ssh logins took so long…), but it didn’t trigger because it wasn’t targeted.
Meaning there’s no immediate need to be concerned, but you should update ASAP even though the Arch package probably doesn’t contain backdoored artifacts.
Debian is not really the problem, but rather the target, just read the original announcement at https://www.openwall.com/lists/oss-security/2024/03/29/4:
== Affected Systems == Running as part of a debian or RPM package build: if test -f "$srcdir/debian/rules" || test "x$RPM_ARCH" = "xx86_64";then ... openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma. Initially starting sshd outside of systemd did not show the slowdown, despite the backdoor briefly getting invoked. This appears to be part of some countermeasures to make analysis harder. Observed requirements for the exploit: a) TERM environment variable is not set b) argv[0] needs to be /usr/sbin/sshd c) LD_DEBUG, LD_PROFILE are not set d) LANG needs to be set e) Some debugging environments, like rr, appear to be detected. Plain gdb appears to be detected in some situations, but not others
So if you were using Arch, you were unaffected by this vulnerability because
/usr/sbin/sshd
which doesn’t happen in Arch because they don’t patch OpenSSH to support systemd (which in turn pulls in xz).This doesn’t mean that Arch saved you because it’s super secure or anything, but this was a supply chain attack that hit Arch (and Debian Sid, where the backdoor was actually caught because ssh logins took so long…), but it didn’t trigger because it wasn’t targeted.
Meaning there’s no immediate need to be concerned, but you should update ASAP even though the Arch package probably doesn’t contain backdoored artifacts.
The announcement link leads to a Not Found
It just worked fine when I checked right now
Thanks for clarifying. I read through the original announcement but I couldn’t fully understand it
Typical Arch user.
English is not my native language and I am still pretty new to Linux. But it doesn’t change the fact that Arch was not compromised and Debian is/was
Thanks for telling that means arch is not compromised as of right now.