Opened 4 weeks ago
Last modified 4 weeks ago
#5471 new enhancement
xz-5.8.0 (wait for this release)
Reported by: | Xi Ruoyao | Owned by: | lfs-book |
---|---|---|---|
Priority: | normal | Milestone: | 12.2 |
Component: | Book | Version: | git |
Severity: | normal | Keywords: | |
Cc: |
Description
https://www.openwall.com/lists/oss-security/2024/03/29/4
Though the injected malicious code is inactive for LFS (because we're not building RPM or DEB; see the "Affected Systems" section of the oss-security post), the gentleman introduced the code has made many commits to xz and we are not sure how many of them are malicious as well.
Change History (4)
comment:1 by , 4 weeks ago
comment:2 by , 4 weeks ago
I didn't check all 9 commits, but at least one commit was only spelling and spacing. The reaction seems to be pretty extreme. How do we know that the user wasn't just hacked and it was someone else that injected the malicious code with those credentials.
There is a lot of activity going on with respect to this. Lets give it 24 hours.
comment:3 by , 4 weeks ago
Lasse Collin is back on line and working on it: https://tukaani.org/xz-backdoor/
comment:4 by , 4 weeks ago
Priority: | highest → normal |
---|---|
Summary: | xz-?.?? → xz-5.8.0 (wait for this release) |
Lasse will release 5.8.0 once everything get audited.
Also reset the priority to normal given LFS is not affected by this backdoor. If some other malicious thing is found we can raise the priority again.
The most recent release w/o this gentleman's commit is 5.2.5, but if we revert to 5.2.5 we'll need https://xz.tukaani.org/xz-utils/xzgrep-ZDI-CAN-16587.patch.
https://github.com/tukaani-project/xz/pull/95 suggests at least 9 commits are suspicious.