holy fuck: https://www.openwall.com/lists/oss-security/2024/03/29/4
tl;dr: libxz backdoored by its maintainer; the malicious libxz detects if it's been linked into opensshd (which doesn't actually use libxz, but many distros patch it to use libsystemd, and libsystemd uses libxz) and, if so, does something (as yet unclear exactly what) to opensshd's RSA_public_decrypt()
appears to target Debian and Fedora, and didn't make it into stable versions of either, so you're probably fine unless you're running Fedora 41/rawhide or Debian testing
npub1fr…0tq3l
2024-03-29 17:54:41
Author Public Key
npub1frq62vj4qv2w3sn5vr4r2hgl6aa4nn0w5j438fsc35dt07fqyegqv0tq3lPublished at
2024-03-29 17:54:41Event JSON
{
"id": "6573b6918f31b96c8a92ee16f7b43cbdf64100decf991ed273d07af5050a2a9c",
"pubkey": "48c1a532550314e8c27460ea355d1fd77b59cdeea4ab13a6188d1ab7f9202650",
"created_at": 1711734881,
"kind": 1,
"tags": [
[
"proxy",
"https://cathode.church/users/Gaelan/statuses/112180257183321530",
"activitypub"
]
],
"content": "holy fuck: https://www.openwall.com/lists/oss-security/2024/03/29/4\n\ntl;dr: libxz backdoored by its maintainer; the malicious libxz detects if it's been linked into opensshd (which doesn't actually use libxz, but many distros patch it to use libsystemd, and libsystemd uses libxz) and, if so, does something (as yet unclear exactly what) to opensshd's RSA_public_decrypt()\n\nappears to target Debian and Fedora, and didn't make it into stable versions of either, so you're probably fine unless you're running Fedora 41/rawhide or Debian testing",
"sig": "28ea7a617801c956ae3615e0165983dc99fbce0cd0ec458fcae1cccf7d917cc6ef6189a5d9a355f4f1dc7ea2841f709de1928e48c264f67bb57c66ecccabbaa3"
}