|
|
Subscribe / Log in / New account

A backdoor in xz

A backdoor in xz

Posted Mar 30, 2024 14:56 UTC (Sat) by fghorow (subscriber, #5229)
In reply to: A backdoor in xz by daroc
Parent article: A backdoor in xz

I just ran into a case where hexdump was not available on the machine being tested. The script complained about that, but printed the "probably not vulnerable" result anyway. Rather than trying to correct the script and open up another can of worms, please just use common sense when interpreting the output of this script.

to post comments

A backdoor in xz

Posted Mar 31, 2024 16:01 UTC (Sun) by vegard (subscriber, #52330) [Link] (1 responses)

Yes, sorry -- it was hacked up in a couple of hours in anticipation of the report going live. The script was tested by 3-4 people in private before it got posted, but it obviously had some flaws. It was also meant for advanced users, in a way (think organizations or system administrators who can adapt it to their systems, not necessarily end users). I felt it was better to keep the script short and readable as opposed to trying to adapt it to every possible configuration, as that would have made it harder trust (as in: here's yet another shell script doing who-knows-what...).

A backdoor in xz

Posted Mar 31, 2024 16:05 UTC (Sun) by fghorow (subscriber, #5229) [Link]

My comment was made as a "heads up" and it was not intended as criticism of your script.

You absolutely made the right call in keeping it simple, IMHO. Thank you.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds