The xz package has been backdoored

Please see the Arch main page announcement and take appropriate action.


For anyone remotely interested in the subject of the execution of the attack, just a hint that the attacker’s git history is an extremely interesting case-study!

They have been working for ~2 years on building reputation, sneaking in commits in all kinds of tangentially relevant projects (clang, llvm, oss-fuzz, xz-java), migrating the tukaani project’s host to mirror github (essentially taking information-control away from previous domain owners), changing directions for CVE reporting, and probably more.

For the curious (PLEASE treat relevant code with CAUTION!): Jia Tan Github


I was not active online and just realized about this back door. I immediately updates pacman. What else should I do?

Assuming you ran sudo pacman -Syu or yay or something equivalent, there is nothing to worry about now. You should be having updated xz without backdoor.

If you really want to confirm, run pacman -Qi xz and ensure the version mentioned is 5.6.1-2

Nothing, but it mostly concerned Debian based and Fedora/Suse distributions, because by default they link lzma library to openssh and it’s not the case with Arch.

As mentioned in the link in OP, if you run the command :

ldd "$(command -v sshd)"

and don’t see liblzma in the list, you’re fine (xz package updated or not).

There is no liblzma in this list.

dodged a bullet Matrix-style?

Jia team is probably tortured in some basement right now, because of their failure :rofl:


While they did fail, they also kinda succeeded… in highlighting we might be trusting opensource way too much.

I know I have been getting a bit more paranoid, and I’m pretty sure I’m not the only one. Here’s for example a Reddit post about Ventoy, which I’ve used in the past but I’m getting anxious about using again in the near future.

1 Like

It’s perfectly safe if you’re created your isos with non-backdoored versions…

Besides we won’t get rid of it anytime soon:

pacman -Qi xz

And it’s not even that project’s fault per-se, it could happen to any small project with such level of sophisticated attack…


I’ll address your reply in reverse order :stuck_out_tongue:

I was not implying that at all.

If anything, assuming the original maintainer is completely innocent (which I think is the right thing to assume as long as there is no evidence of the opposite) I’m actually kind of sad about his whole situation, seeing the pressure he was under and the lack of respect for his work by the people involved.

I wasn’t talking about Ventoy’s inclusion or building against xz specifically!

I was talking about people sharing their perception of the project being a mess code-wise (making it way harder to audit), and the inclusion of a bunch of BLOBs that could definitely be avoided for the shake of security and transparency.

I wasn’t even trying to make the point specifically about Ventoy, I just happened to come across the linked post. I’m sure it’s not the first and it won’t be the last opensource project that meets such criteria making me a bit more paranoid post-xz incident…

1 Like

Community at large is VERY sus :male_detective:


1 Like