In message <86v84t5vio....@ltc.des.dev>, =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav? = w rites: > "Chen, Alvin W" <weike.c...@dell.com> writes: > > My understanding is: the 'xz' built from FreeBSD is not impacted, but > > the 'xz' built from Linux and run based on FreeBSD Linux ABI could be > > impacted. > > It is certainly possible to build liblzma with the backdoor on a Linux > host (or in a Linux jail on a FreeBSD host) and run it on a FreeBSD > host. However, the backdoor does nothing unless loaded into an sshd > process, so you would still not be affected unless you were running a > Linux sshd binary and that sshd binary loaded the backdoored liblzma. > FreeBSD's sshd binary (whether from base or ports) does not load > liblzma, and if it did, it would not be able to load a Linux version of > the library.
The backdoor also required sshd be linked against liblsma (because libsystemd requires it). OpenSSH doesn't use liblzma by default. liblzma is a systemd requirement. BTW, Lasse Collin's GH account and the xz repo have been re-enabled. It was pointed out to me at $JOB yesterday that he's been busy repairing xz. Looking at his commits, he certainly has been. This is good news. -- Cheers, Cy Schubert <cy.schub...@cschubert.com> FreeBSD UNIX: <c...@freebsd.org> Web: https://FreeBSD.org NTP: <c...@nwtime.org> Web: https://nwtime.org e^(i*pi)+1=0
