Backdoor in upstream xz/liblzma leading to ssh server compromise

[scsijon]

https://www.openwall.com/lists/oss-secu ... 24/03/29/4
there's more around if you search
jon

[scsijon]

further to this is apparently microsoft's reply to the problem was >

Date: Sat, 30 Mar 2024 15:11:47 -0500
From: Rob Landley <rob@landley.net>
To: toybox <toybox@lists.landley.net>
Subject: [Toybox] Microsoft github took down the xz repo.
Message-ID: <ab361ddc-3133-062e-3e43-6c5d6d8b397c@landley.net>
Content-Type: text/plain; charset=UTF-8

FYI, Microsoft Github disabled the xz repository because it became
"controversial" (I.E. there was an exploit in the news).

https://social.coop/@eb/112182149429056593

https://github.com/tukaani-project/xz

I'm assuming if toybox ever has a significant bug, microsoft would respond by
deleting the toybox repository. There's a reason that I have
https://landley.net/toybox/git on my website, and my send.sh script pushes to
that _before_ pushing to microsoft github.

Luckily the xz guys don't seem to trust microsoft github either, because the
upstream of the xz-embedded repo with the public domain code I cloned is:

https://git.tukaani.org/xz-embedded.git

Which is still available.

Rob

[ozsouth]

Default puppies seem to be safe, as 5.6.0+ is not used there. xz versions used in recent puppies:

5.4.1 Bookwormpup64-10.0.6

5.4.1 Vanilladpup-10.0.47

5.2.4 Fossapup64-9.6-4CE

5.2.5 s15pup64-22.12-240223

Older default puppies unaffected. xz was not upgraded in any of my recent remasters. 'Latest is not always greatest'.

[captainkennway]

I'm using jackal pup and there are liblzma 5.2.4 and xz-utilis 5.2.4 already installed in my package manager