Discussion:
Is Slackware xz safe?
(too old to reply)
Joseph Rosevear
2025-01-28 23:43:33 UTC
Permalink
Hello all,

I bumped into news about the xz backdoor today. Has this already been discussed in this Usenet group?

If you haven't heard, it is a vulnerability present in some instances of xz. Slackware has /usr/bin/xz, so that raises the question, "Are we safe?"

I did a little more research and I found a post by Henrik (Thank you!) which says we *are* safe. That's a relief.

Here are some links:

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

https://www.reddit.com/r/DistroHopping/comments/1bvya0w/deleted_by_user/
See posts by sy029 and johncate73.

https://www.facebook.com/groups/7265053204
See post by Patrick Simmons.

https://www.linuxquestions.org/questions/slackware-14/xz-bug-need-anyone-do-anything-4175735492/
See post by Henrik.

-Joe
John McCue
2025-01-29 02:02:38 UTC
Permalink
Post by Joseph Rosevear
Hello all,
<snip>
Post by Joseph Rosevear
If you haven't heard, it is a vulnerability present in some
instances of xz. Slackware has /usr/bin/xz, so that raises
the question, "Are we safe?"
Slackware 15.0 "fixed", see

http://slackware.osuosl.org/slackware64-15.0/ChangeLog.txt

and search for xz-5.2.5-x86_64-4_slack15.0

But based upon what I have read, Slackware was never
vulnerable because it did not use systemd.

Also please review these links to learn how to post
correctly to USENET:

https://www.slack.net/~ant/usenet-posts.html

https://smfr.org/mtnw/docs/Usenet.html

<snip>

Thanks,
--
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars
Alexander Grotewohl
2025-01-29 21:16:56 UTC
Permalink
Post by John McCue
https://www.slack.net/~ant/usenet-posts.html
https://smfr.org/mtnw/docs/Usenet.html
how's he supposed to know what /you/ didn't like.. read your mind?
Henrik Carlqvist
2025-01-29 05:31:27 UTC
Permalink
Post by Joseph Rosevear
If you haven't heard, it is a vulnerability present in some instances of
xz. Slackware has /usr/bin/xz, so that raises the question, "Are we
safe?"
As John wrote, stable Slackware 15.0 has never been affected by any of
those bad versions. For those running the alpha or beta version of the
next stable Slackware, also known as "Slackware current", the bad
versions 5.6.0 and 5.6.1 was included for a short time. However, if I
understand things right, the xz.SlackBuild script used to build from
source does not user cmake but the old school way of "./configure; make"
and did not produce any bad binaries. Even if Slackware would have had
any bad binaries from any bad version it would not have become any ssh
backdoor as Slackware does not run systemd.

regards Henrik
Joseph Rosevear
2025-01-29 22:06:48 UTC
Permalink
On Wed, 29 Jan 2025 05:31:27 -0000 (UTC), Henrik Carlqvist wrote:

[snip]
Post by Henrik Carlqvist
As John wrote, stable Slackware 15.0 has never been affected by any of
those bad versions. For those running the alpha or beta version of the
next stable Slackware, also known as "Slackware current", the bad
versions 5.6.0 and 5.6.1 was included for a short time. However, if I
understand things right, the xz.SlackBuild script used to build from
source does not user cmake but the old school way of "./configure; make"
and did not produce any bad binaries. Even if Slackware would have had
any bad binaries from any bad version it would not have become any ssh
backdoor as Slackware does not run systemd.
regards Henrik
Hello, Henrik.

That's interesting. I was wondering whether systemd was involved in this
story. One of the links I posted included a message that said something
similar. Does systemd use ssh in some special way?

It is also interesting that cmake was involved. I had never heard of it,
but this link (hopefully correct) helped me to understand:

https://thisvsthat.io/cmake-vs-make

Does Slackware's invulnerability to the xz bug illustrate the danger of
"enshitification"? At least it does seem to underscore the value of
K.I.S.S.

-Joe
Rich
2025-01-30 01:11:04 UTC
Permalink
Post by Joseph Rosevear
[snip]
Post by Henrik Carlqvist
As John wrote, stable Slackware 15.0 has never been affected by any
of those bad versions. For those running the alpha or beta version
of the next stable Slackware, also known as "Slackware current", the
bad versions 5.6.0 and 5.6.1 was included for a short time.
However, if I understand things right, the xz.SlackBuild script used
to build from source does not user cmake but the old school way of
"./configure; make" and did not produce any bad binaries. Even if
Slackware would have had any bad binaries from any bad version it
would not have become any ssh backdoor as Slackware does not run
systemd.
regards Henrik
Hello, Henrik.
That's interesting. I was wondering whether systemd was involved in this
story. One of the links I posted included a message that said something
similar. Does systemd use ssh in some special way?
You know, this is all year old news, and just searching "xz backdoor"
should have found you this for further reading:

https://en.wikipedia.org/wiki/XZ_Utils_backdoor

The short story is the backdoor targeted ssh, and it got into ssh via
being linked into a systemd library that ssh, on systemd systems,
itself linked to.

For Slackware it was a no-op because Slackware does not use systemd, so
Slackware's ssh did not indirectly link to xz via a systemd library.
Joseph Rosevear
2025-01-30 03:12:29 UTC
Permalink
[snip]
Post by Rich
Post by Joseph Rosevear
That's interesting. I was wondering whether systemd was involved in
this story. One of the links I posted included a message that said
something similar. Does systemd use ssh in some special way?
You know, this is all year old news, and just searching "xz backdoor"
https://en.wikipedia.org/wiki/XZ_Utils_backdoor
The short story is the backdoor targeted ssh, and it got into ssh via
being linked into a systemd library that ssh, on systemd systems, itself
linked to.
For Slackware it was a no-op because Slackware does not use systemd, so
Slackware's ssh did not indirectly link to xz via a systemd library.
Hello, Rich,

Yes, I read the article once already. On rereading it I see that the xz
bug, ssh and systemd are all connected in a complex way.

I guess I missed this when it was first in the news. Thanks for your
help!

-Joe

Loading...