Nix / NixOS

1750 readers

11 users here now

Main links

Videos

founded 1 year ago

MODERATORS

erlingur@programming.dev

ballmerpeaking@programming.dev

WhiteBlackGoose@programming.dev

How the xz backdoor highlights a major flaw in Nix | Shade's Blog (shadeyg56.vercel.app)

submitted 7 months ago by starman@programming.dev to c/nix@programming.dev

11 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Atemu@lemmy.ml 1 points 7 months ago (1 children)

That works for leaf packages but not for core node packages. Every package depends on xz in some way; it's in the stdenv aswell as bootstrap.

[–] GarlicToast@programming.dev 1 points 7 months ago (1 children)

You are right, it will be a mess to pull xz from a different hash. This is why you go back to an older build, and keep only packages you need on the newer version.

[–] Atemu@lemmy.ml 1 points 7 months ago

Those packages themselves depend on xz. Pretty much all of them.

What you're suggesting would only make the xz executable not be backdoored anymore but any other application using liblzma would still be as vulnerable as before. That's actually the only currently known attack vector; inject malicious code into SSHD via liblzma.