I bet that you use software packages that are built and authored on systems that have systemd+sshd, though.
What happens if development or build machines belong to people who control projects that you trust and have been compromised?
Do you use a web browser? Do you use a graphical desktop environment? Are the machines those guys use vulnerable? Are the developers of the libraries that they depend on vulnerable?
Remember, this guy was attacking a downstream project (sshd) by compromising and signing source in a specific tarball of a library – the malicious code never made it into git – used by an unrelated piece of software (systemd) that some distros, not even the ssh guys, happened to link into sshd’s memory space. He’s trying to compromise unrelated software via elaborate supply chain attacks.
Wow… Luckly I don’t use systemd which seems to be the vector causing the sshd backdoor, via liblzma…
Pretty scary anyway.
I bet that you use software packages that are built and authored on systems that have systemd+sshd, though.
What happens if development or build machines belong to people who control projects that you trust and have been compromised?
Do you use a web browser? Do you use a graphical desktop environment? Are the machines those guys use vulnerable? Are the developers of the libraries that they depend on vulnerable?
Remember, this guy was attacking a downstream project (sshd) by compromising and signing source in a specific tarball of a library – the malicious code never made it into git – used by an unrelated piece of software (systemd) that some distros, not even the ssh guys, happened to link into sshd’s memory space. He’s trying to compromise unrelated software via elaborate supply chain attacks.