Re: Backdoor in xz 5.6.0
- In reply to: Alan Somers : "Backdoor in xz 5.6.0"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 30 Mar 2024 00:12:00 UTC
On Fri, Mar 29, 2024 at 05:47:51PM -0600, Alan Somers wrote: > A malicious developer added a backdoor to xz 5.6.0 and 5.6.1, and > snuck it into Fedora builds. That's the same version that FreeBSD > CURRENT uses. For multiple reasons we aren't vulnerable (the > malicious code isn't included in xz's git repo, only its dist > tarballs, the malicious code is only triggered on x86_64 linux in an > rpm or deb build, and the malicious code resides in a .m4 file which > our build process doesn't use). But upstream considers all of 5.6.0 > to be untrustworthy and recommends that everyone to 5.4.5. I haven't seen any statement by upstream (the Tukaani project), yet. The bad actor has enjoyed a maintainership role for the xz project for at least one-and-a-half years (since 2022). We might experience another "OpenSSL Heartbleed" reactionary moment whereby the entire project is audited. Until then, some folks would not consider it over-reactionary to distrust any work since the bad actor started contributing. This would apply to other projects the bad actor contributed to as well, like libarchive. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc