On 2024-03-29, a
backdoor was publicly disclosed
in the
XZ Utils
software. Inferencium systems did have the affected versions of
this software installed, and the tools were used. The software has since been downgraded to
the last-known safe version.
After
extensive research,
it has been discovered that
specific criteria
must be met for the backdoor to be effective. Based on
what is known, Inferencium systems are unaffected by this attack
for the following reasons:
- Inferencium systems run Gentoo Linux, which does not include Debian and Red Hat
OpenSSH patches.
- Inferencium systems use musl libc, not glibc. As musl does not support glibc's
non-standard
IFUNC
functionality, the backdoor cannot run.
- Inferencium systems use Clang as the system compiler, and lld as the system
linker, not GCC and ld.
- Inferencium systems use OpenRC as the init system, not systemd. libsystemd and
systemd-notify do not work with OpenRC.
The only criteria met by Inferencium systems is amd64 as the system
architecture; this is not enough for the backdoor to be effective. Even if all criteria
other than running glibc were met, Inferencium systems would still be unaffected by this
attack due to musl not supporting the required IFUNC
functionality which
the backdoor seems heavily dependent on.
Despite the evidence, it is unknown exactly what this malicious code does and is
capable of in entirety. As a precautionary measure, I have generated a new SSH key and
classified the previous key as compromised. You can find my new key on the
Key webpage.
There is no evidence that my previous key was compromised, so this is entirely a
precautionary measure. All files and Git commits, tags, and releases signed with the
previous key, even after discovery of the backdoor, up to 2024-04-01, are secure and validly
signed by me; the key should not be trusted after this date.
I completely support Lasse Collin during this time. Support should be provided to him for
what occurred to his project and how it was sabotaged. He clearly had good intentions and
was burnt out from the commitment to his project, which led to Jia Tan taking advantage of
him. He has posted
his own, official statement
on behalf of the XZ Utils project and how it intends to move forward. Assistance should be
provided to support both him and the community.