Recent searches
Search options
Administered by:
This is big: one of the xz-utils / liblzma *upstream maintainers* added malicious code to the last couple of releases. This is the person who actually publishes and signs the tarballs. If you are using liblzma 5.6.0 or 5.6.1 make sure to update your packages asap and consider reinstalling the OS or recreating the container.
This same person opened an account in Launchpad yesterday to ask the Ubuntu maintainers to please update the package to the latest (infected) version
https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/2059417
Looking back at the archives, there was a certain Jigar Kumar posting to the xz-devel mailing list *two years ago* pressuring the original maintainer to accept help from other people:
https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html
https://www.mail-archive.com/search?q=Kumar&l=xz-devel%40tukaani.org
@berto really playing the long game.
@berto Amazing find.
@berto This person seems to have committed to various other repositories, such as the Linux kernel. Do you know if there is a audit on that code as well?
@Logical_Error I don't think I have seen code in the kernel, just mentions to their name in the maintainers file
@berto From the looks of it, it may be that vcpkg or Meson wraps of liblzma (if available) were not vulnerable? Seeing as the exploit needs to be injected through autotools
@crystalmoon right, the payload is injected by a modified autotools file not present in the git repository
