|
|
|
|
|
|
by arp242
361 days ago
|
|
|
As far as I know there are zero examples, CVE or not. I have asked several times over the years and thus no one has been able to provide an example. It just doesn't happen because it just doesn't make much sense. As I already said years ago[1], if you want to hide some nefarious stuff then you'd do it in something like autoconf soup, or something like that. The install.sh is just too obvious of a place. And this is exactly what happened in the real-world xz attack. I can guarantee you very few, if any, packagers are auditing all of that. And even if they did: it's just so easy to miss. [1]: https://www.arp242.net/curl-to-sh.html |
|
|