1. Forum
  2. USENET
  3. alt.os.linux.slackware

  • Is Slackware xz safe?

    From Joseph Rosevear@Mail@JoesLife.org to alt.os.linux.slackware on Tue Jan 28 23:43:33 2025
    From Newsgroup: alt.os.linux.slackware

    Hello all,

    I bumped into news about the xz backdoor today. Has this already been discussed in this Usenet group?

    If you haven't heard, it is a vulnerability present in some instances of xz. Slackware has /usr/bin/xz, so that raises the question, "Are we safe?"

    I did a little more research and I found a post by Henrik (Thank you!) which says we *are* safe. That's a relief.

    Here are some links:

    https://en.wikipedia.org/wiki/XZ_Utils_backdoor

    https://boehs.org/node/everything-i-know-about-the-xz-backdoor

    https://www.reddit.com/r/DistroHopping/comments/1bvya0w/deleted_by_user/
    See posts by sy029 and johncate73.

    https://www.facebook.com/groups/7265053204
    See post by Patrick Simmons.

    https://www.linuxquestions.org/questions/slackware-14/xz-bug-need-anyone-do-anything-4175735492/
    See post by Henrik.

    -Joe
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From John McCue@jmccue@magnetar.jmcunx.com to alt.os.linux.slackware on Wed Jan 29 02:02:38 2025
    From Newsgroup: alt.os.linux.slackware

    Joseph Rosevear <Mail@joeslife.org> wrote:
    Hello all,

    <snip>

    If you haven't heard, it is a vulnerability present in some
    instances of xz. Slackware has /usr/bin/xz, so that raises
    the question, "Are we safe?"

    Slackware 15.0 "fixed", see

    http://slackware.osuosl.org/slackware64-15.0/ChangeLog.txt

    and search for xz-5.2.5-x86_64-4_slack15.0

    But based upon what I have read, Slackware was never
    vulnerable because it did not use systemd.

    Also please review these links to learn how to post
    correctly to USENET:

    https://www.slack.net/~ant/usenet-posts.html

    https://smfr.org/mtnw/docs/Usenet.html

    <snip>

    Thanks,
    --
    [t]csh(1) - "An elegant shell, for a more... civilized age."
    - Paraphrasing Star Wars
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Henrik Carlqvist@Henrik.Carlqvist@deadspam.com to alt.os.linux.slackware on Wed Jan 29 05:31:27 2025
    From Newsgroup: alt.os.linux.slackware

    On Tue, 28 Jan 2025 23:43:33 +0000, Joseph Rosevear wrote:

    If you haven't heard, it is a vulnerability present in some instances of
    xz. Slackware has /usr/bin/xz, so that raises the question, "Are we
    safe?"

    As John wrote, stable Slackware 15.0 has never been affected by any of
    those bad versions. For those running the alpha or beta version of the
    next stable Slackware, also known as "Slackware current", the bad
    versions 5.6.0 and 5.6.1 was included for a short time. However, if I understand things right, the xz.SlackBuild script used to build from
    source does not user cmake but the old school way of "./configure; make"
    and did not produce any bad binaries. Even if Slackware would have had
    any bad binaries from any bad version it would not have become any ssh backdoor as Slackware does not run systemd.

    regards Henrik
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Alexander Grotewohl@alexm0n@gmail.com to alt.os.linux.slackware on Wed Jan 29 21:16:56 2025
    From Newsgroup: alt.os.linux.slackware

    On Wed, 29 Jan 2025 02:02:38 -0000 (UTC), John McCue wrote:

    Also please review these links to learn how to post correctly to USENET:

    https://www.slack.net/~ant/usenet-posts.html

    https://smfr.org/mtnw/docs/Usenet.html


    how's he supposed to know what /you/ didn't like.. read your mind?
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Joseph Rosevear@Mail@JoesLife.org to alt.os.linux.slackware on Wed Jan 29 22:06:48 2025
    From Newsgroup: alt.os.linux.slackware

    On Wed, 29 Jan 2025 05:31:27 -0000 (UTC), Henrik Carlqvist wrote:

    [snip]

    As John wrote, stable Slackware 15.0 has never been affected by any of
    those bad versions. For those running the alpha or beta version of the
    next stable Slackware, also known as "Slackware current", the bad
    versions 5.6.0 and 5.6.1 was included for a short time. However, if I understand things right, the xz.SlackBuild script used to build from
    source does not user cmake but the old school way of "./configure;
    make"
    and did not produce any bad binaries. Even if Slackware would have had
    any bad binaries from any bad version it would not have become any ssh backdoor as Slackware does not run systemd.

    regards Henrik

    Hello, Henrik.

    That's interesting. I was wondering whether systemd was involved in this story. One of the links I posted included a message that said something similar. Does systemd use ssh in some special way?

    It is also interesting that cmake was involved. I had never heard of it,
    but this link (hopefully correct) helped me to understand:

    https://thisvsthat.io/cmake-vs-make

    Does Slackware's invulnerability to the xz bug illustrate the danger of "enshitification"? At least it does seem to underscore the value of
    K.I.S.S.

    -Joe
    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Rich@rich@example.invalid to alt.os.linux.slackware on Thu Jan 30 01:11:04 2025
    From Newsgroup: alt.os.linux.slackware

    Joseph Rosevear <Mail@joeslife.org> wrote:
    On Wed, 29 Jan 2025 05:31:27 -0000 (UTC), Henrik Carlqvist wrote:

    [snip]

    As John wrote, stable Slackware 15.0 has never been affected by any
    of those bad versions. For those running the alpha or beta version
    of the next stable Slackware, also known as "Slackware current", the
    bad versions 5.6.0 and 5.6.1 was included for a short time.
    However, if I understand things right, the xz.SlackBuild script used
    to build from source does not user cmake but the old school way of
    "./configure; make" and did not produce any bad binaries. Even if
    Slackware would have had any bad binaries from any bad version it
    would not have become any ssh backdoor as Slackware does not run
    systemd.

    regards Henrik

    Hello, Henrik.

    That's interesting. I was wondering whether systemd was involved in this story. One of the links I posted included a message that said something similar. Does systemd use ssh in some special way?

    You know, this is all year old news, and just searching "xz backdoor"
    should have found you this for further reading:

    https://en.wikipedia.org/wiki/XZ_Utils_backdoor

    The short story is the backdoor targeted ssh, and it got into ssh via
    being linked into a systemd library that ssh, on systemd systems,
    itself linked to.

    For Slackware it was a no-op because Slackware does not use systemd, so Slackware's ssh did not indirectly link to xz via a systemd library.

    --- Synchronet 3.21d-Linux NewsLink 1.2
  • From Joseph Rosevear@Mail@JoesLife.org to alt.os.linux.slackware on Thu Jan 30 03:12:29 2025
    From Newsgroup: alt.os.linux.slackware

    On Thu, 30 Jan 2025 01:11:04 -0000 (UTC), Rich wrote:

    Joseph Rosevear <Mail@joeslife.org> wrote:

    [snip]

    That's interesting. I was wondering whether systemd was involved in
    this story. One of the links I posted included a message that said
    something similar. Does systemd use ssh in some special way?

    You know, this is all year old news, and just searching "xz backdoor"
    should have found you this for further reading:

    https://en.wikipedia.org/wiki/XZ_Utils_backdoor

    The short story is the backdoor targeted ssh, and it got into ssh via
    being linked into a systemd library that ssh, on systemd systems, itself linked to.

    For Slackware it was a no-op because Slackware does not use systemd, so Slackware's ssh did not indirectly link to xz via a systemd library.

    Hello, Rich,

    Yes, I read the article once already. On rereading it I see that the xz
    bug, ssh and systemd are all connected in a complex way.

    I guess I missed this when it was first in the news. Thanks for your
    help!

    -Joe
    --- Synchronet 3.21d-Linux NewsLink 1.2