Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The xz backdoor was an example of exploiting this disconnect. It was not present in the repository, it was inserted only into the release artifacts. Anyone getting xz by checking out the repository and building it themselves, would not be affected by it.


I think that's a slight mischaracterization. It was present in the repo but obfuscated and rigged to only apply in release artifacts.

A sufficiently technical user could have found it but that bar was pretty high to clear.


I'm pretty sure that's incorrect. One portion of the build-to-host buildfile was only present in the release tarball.

https://www.openwall.com/lists/oss-security/2024/03/29/4


Right but it was injected from data in a "corrupt" xz file in the repo under certain conditions

>This injects an obfuscated script to be executed at the end of configure. This script is fairly obfuscated and data from "test" .xz files in the repository.

>The files containing the bulk of the exploit are in an obfuscated form in tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma committed upstream




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: