Hello Debian (and RedHat),
I am wondering if anyone ended up compressing (or considered compressing) their software with XZ Utils before the latest Debian build at the time of the backdoor's discovery was released. Are they allowed to do that? Has any developer considered it at one point?
Also:
- Does the backdoor target systems during compression tasks/builds with lzma or does it target systems after a package is built and when said package is running?
- how does the infected liblzma library affect OpenSSH & systemd when these 2 programs use the original lzma library in XZ Utils? Does the destination of the lzma library just change after a compression task is completed? Is it okay to run an application with the infected library if said infected library is in a different destination from the original so the only way the original can be affected is performing a specific compression task with XZ Utils?
(Basically, do you have to do a manual, non-automatic, man-done task to activate the backdoor?)
I've done as much research as I can but I can't find any concrete answers to these particular questions so I figured contacting you guys about this would work.
I've tried to make sure that this backdoor wouldn't negatively affect any critical infrastructure that depends on Linux such as the public cloud workload for example.
Also I don't seem to have any information on how Linux operates in data centers other than "Data centers around the world are largely built on Linux". No mentions of OpenSSH at all.
I’m still concerned though - if data centers were to be affected by this I highly suggest trying to reach out to governments about open source security and by keeping in touch with me, I have a large list of critical open source projects (e.g. Cloudflare, Nginx, Core-JS, ImageMagick, etc.) that should get support.