The xz-utils backdoor succeeded not because of xz itself, but because GNU IFUNC and OpenSSH-SystemD patches created an exploitable dynamic linking path into sshd.
Key Takeaways
Attack chain: Debian/Fedora patched OpenSSH to depend on libsystemd, which depends on xz-utils, which used GNU IFUNC, landing xz code in sshd’s address space.
GNU IFUNC lets arbitrary code run before main while the Global Offset Table is still writable, bypassing RELRO protections entirely.
The SystemD-OpenSSH patches never merged into Portable OpenSSH or upstream; siloed maintainer teams created the gap attackers exploited.
Alternatives to IFUNC exist: global function pointers with mprotect, LD_PRELOAD switching, or separate per-feature binaries – all simpler and harder to weaponize.
Even GCC developers have called IFUNC a mistake and considered adding compiler warnings; Apple similarly regrets its Mach-O .symbol_resolver equivalent.
Hacker News Comment Review
One commenter initially pushed back hard on the framing that OpenBSD developers don’t support Linux, but a reply clarified the article actually agrees: Portable OpenSSH maintainers explicitly rejected the libsystemd dependency.
Discussion is thin; the technical substance is mostly in the article itself rather than the thread.
