|
|
|
|
|
|
by hiisukun
698 days ago
|
|
|
I guess for those not sure of the context: The user Jia Tan added exploit code to the 'xz' tool as part of a larger deal. Wikipedia has a page on it here [1]. In this post, they are discussing some changes to print code specifically for the libarchive project, and some notable personalities in the security community chime in, including Colin Percival (Tarsnap among others) and Taviso (Google project zero among others). [1] https://en.wikipedia.org/wiki/XZ_Utils_backdoor |
|
|
Various discussions on this backdoor (in rough chronological order):
* Backdoor in upstream xz/liblzma leading to SSH server compromise:† https://news.ycombinator.com/item?id=39865810
* What we know about the xz Utils backdoor that almost infected the world: https://news.ycombinator.com/item?id=39891607
* How the XZ Backdoor Works: https://news.ycombinator.com/item?id=39911311
* The xz sshd backdoor rabbithole goes quite a bit deeper: https://news.ycombinator.com/item?id=39956455
* XZ backdoor story – Initial analysis: https://news.ycombinator.com/item?id=40017310
† Original report, AFAICT.