https://github.com/libarchive/libarchive/pull/1609
He replaced safe printf calls with unsafe versions. We as devs must be more vigilant when we accept PRs and add new dependencies.
quotingHeads up if using the testing / unstable version of Debian, Ubuntu, NixOS or other Linux OS based on these, there is malicious code in the latest xz package: https://www.openwall.com/lists/oss-security/2024/03/29/4
nevent1q…ww3f
>The malicious injection present in the xz versions 5.6.0 and 5.6.1
>Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux distributions, and where they have, mostly in pre-release versions.
Running stable versions are fine:
₿ xz --version
xz (XZ Utils) 5.4.1
liblzma 5.4.1