Machines can be fully compromised, and the code could have eventually found itself onto this computer had it not been discovered. A fascinating story. The backdoor got into the widely used Debian Linux distribution (pre-release) branch, but not into the stable release.
What does this have to do with censorship? The short answer is everything. But a guy who wrote his own code so that Big Brother 'SHOULD' not have access to it, would find this to be a big deal. And I do. Funny this news is not mainstream.
Background
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that gives developers lossless compression. This package is commonly used for compressing release tarballs, software packages, kernel images, and initramfs images. It is very widely distributed, statistically your average Linux or macOS system will have it installed for convenience.
This backdoor is very indirect and only shows up when a few known specific criteria are met. Others may be yet discovered! However, this backdoor is at least triggerable by remote unprivileged systems connecting to public SSH ports. This has been seen in the wild where it gets activated by connections - resulting in performance issues, but we do not know yet what is required to bypass authentication (etc) with it.
We're reasonably sure the following things need to be true for your system to be vulnerable:
- You need to be running a distro that uses glibc (for IFUNC)
- You need to have versions 5.6.0 or 5.6.1 of xz or liblzma installed (xz-utils provides the library liblzma) - likely only true if running a rolling-release distro and updating religiously.
We know that the combination of systemd and patched openssh are vulnerable but pending further analysis of the payload, we cannot be certain that other configurations aren't.
While not scaremongering, it is important to be clear that at this stage, we got lucky, and there may well be other effects of the infected liblzma.