Bug 33038

Summary: backdoor the xz/liblzma package
Product: Mageia Reporter: Mészáros Csaba <csablak>
Component: RPM PackagesAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact:
Severity: critical    
Priority: Normal CC: davidwhodgins
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: xz CVE:
Status comment:

Description Mészáros Csaba 2024-03-31 11:33:43 CEST 
Description of problem:
https://www.openwall.com/lists/oss-security/2024/03/29/4
Comment 1 Dave Hodgins 2024-03-31 17:38:41 CEST 
The backdoor never made it into Mageia.

Mageia 8 has xz 5.4.3
Cauldron has xz 5.4.6

The backdoor was introduced in version 5.6.0 with further changes in 5.6.1,
neither of which were ever imported into Mageia.

CC: (none) => davidwhodgins
Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 2 Dave Hodgins 2024-03-31 17:40:19 CEST 
See https://tukaani.org/xz-backdoor/ and
https://gynvael.coldwind.pl/?lang=en&id=782
for details of how the backdoor worked and was introduced.