33038 – backdoor the xz/liblzma package

Bug 33038 - backdoor the xz/liblzma package

Summary: backdoor the xz/liblzma package

Status:	RESOLVED INVALID

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	Mageia Bug Squad
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-03-31 11:33 CEST by Mészáros Csaba
Modified:	2024-03-31 17:40 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	xz
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Mészáros Csaba 2024-03-31 11:33:43 CEST

Description of problem:
https://www.openwall.com/lists/oss-security/2024/03/29/4

Comment 1 Dave Hodgins 2024-03-31 17:38:41 CEST

The backdoor never made it into Mageia.

Mageia 8 has xz 5.4.3
Cauldron has xz 5.4.6

The backdoor was introduced in version 5.6.0 with further changes in 5.6.1,
neither of which were ever imported into Mageia.

CC: (none) => davidwhodgins
Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 2 Dave Hodgins 2024-03-31 17:40:19 CEST

See https://tukaani.org/xz-backdoor/ and
https://gynvael.coldwind.pl/?lang=en&id=782
for details of how the backdoor worked and was introduced.

Note You need to log in before you can comment on or make changes to this bug.