arizvisa
dice
oss-security - backdoor in upstream xz/liblzma leadi...
wow, pretty neat. xz/liblzma was backdoor'd, which included specific code to tamper with ssh. to clarify, it was caught due to valgrind and the backdoor affecting performance.
these are the commits here: https://github.com/tukaa...
#debian #security #lzma #xz #backdoor #cve-2024-3094
wow, pretty neat. xz/liblzma was backdoor'd, which included specific code to tamper with ssh. to clarify, it was caught due to valgrind and the backdoor affecting performance.
these are the commits here: https://github.com/tukaa...
#debian #security #lzma #xz #backdoor #cve-2024-3094
if you're not familiar w/ GH, the record of that user's commits can be listed at: https://github.com/tukaa...
other than the tests, these are the commits containing code contributed by just that one guy:
e446ab7a18abfde18f8d1cf02a914df72b1370e3
de5c5e417645ad8906ef914bc059d08c1462fc29
d0f33d672a4da7985ebb5ba8d829f885de49c171
8f236574986e7c414c0ea059f441982d1387e6a4
3d5a99ca373a4e86faf671226ca6487febb9eeac
18d7facd3802b55c287581405c4d49c98708c136
ae5c07b22a6b3766b84f409f1b6b5c100469068a
455a08609caa3223066a717fb01bfa42c5dba47d
82ecc538193b380a21622aea02b0ba078e7ade92
96b663f67c0e738a99ba8f35d9f4ced9add74544
761f5b69a4c778c8bcb09279b845b07c28790575
other than the crc work, the illegitimate tests, and the broken landlock option, they also did some work on xz's filter chains. they also committed two patches in regards to integer overflow checks during encoding. i haven't really verified the details of these thoroughly, tho.
seems absurd to just revert the commits of the entire project by 2 years tho (whee, debian). fortunately, i'm not "smart" enough to care about security policies and all that other higher-level crap.
Oh, probably worth noting that Jia has used these accounts to contribute.
Jia Cheong Tan <[email protected]>jiat75 <[email protected]>Jia Tan <[email protected]>Jia Tan <[email protected]>