Unfolding now: https://news.ycombinator.com/item?id=39865810
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0
An incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:
- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708
- https://github.com/jamespfennell/xz/pull/2
The timeline on this is going to take so long to unravel
#security #linux
Evan Boehs /
npub1ys…w0ve5
2024-03-29 19:43:41
Author Public Key
npub1ysjtd466takqccw983trquu5ycwu5gqsk6ydymvlrp2zv0dlphlq8w0ve5Published at
2024-03-29 19:43:41Event JSON
{
"id": "66e7216385b17b94e7b5beee15731ffb3e7d67ccda50323d81000a8796d53009",
"pubkey": "2424b6d75a5f6c0c61c53c56307394261dca2010b688d26d9f1854263dbf0dfe",
"created_at": 1711737821,
"kind": 1,
"tags": [
[
"t",
"security"
],
[
"t",
"linux"
],
[
"t",
"backdoor"
],
[
"proxy",
"https://social.coop/users/eb/statuses/112180449849400086",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://social.coop/users/eb/statuses/112180449849400086",
"pink.momostr"
]
],
"content": "Unfolding now: https://news.ycombinator.com/item?id=39865810\n\n- https://www.openwall.com/lists/oss-security/2024/03/29/4\n- https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0\n\nAn incredibly technically complex #backdoor in xz (potentially also in libarchive and elsewhere) was just discovered. This backdoor has been quietly implemented over years, with the assistance of a wide array of subtly interconnected accounts:\n\n- https://github.com/tukaani-project/xz/commit/ee44863ae88e377a5df10db007ba9bfadde3d314\n- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1067708\n- https://github.com/jamespfennell/xz/pull/2\n\nThe timeline on this is going to take so long to unravel\n\n#security #linux",
"sig": "2989ea9c37cb65060ec5e62b8fd503edc1d2316fc57a0f3862ea3390c15ab9ec7abd15bcdef5a10e184b1b4e18dbd5ba32f5d7d519090ee54c0d89b51d3126f8"
}