root
/
xz
mirror of https://git.tukaani.org/xz.git
1
0
Fork 0
Code Issues Releases Wiki Activity
xz/src
History
Lasse Collin 1107712e37 Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094). 
While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:

  - The executable payloads were embedded as binary blobs in
    the test files. This was a blatant violation of the
    Debian Free Software Guidelines.

  - On machines that see lots bots poking at the SSH port, the backdoor
    noticeably increased CPU load, resulting in degraded user experience
    and thus overwhelmingly negative user feedback.

  - The maintainer who added the backdoor has disappeared.

  - Backdoors are bad for security.

This reverts the following without making any other changes:

6e636819 Tests: Update two test files.
a3a29bbd Tests: Test --single-stream can decompress bad-3-corrupt_lzma2.xz.
0b4ccc91 Tests: Update RISC-V test files.
8c9b8b20 liblzma: Fix typos in crc32_fast.c and crc64_fast.c.
82ecc538 liblzma: Fix false Valgrind error report with GCC.
cf44e4b7 Tests: Add a few test files.
3060e107 Tests: Use smaller dictionary size in RISC-V test files.
e2870db5 Tests: Add two RISC-V Filter test files.

The RISC-V test files also have real content that tests the filter
but the real content would fit into much smaller files. A generator
program would need to be available as well.

Thanks to Andres Freund for finding and reporting it and making
it public quickly so others could act without a delay.
See: https://www.openwall.com/lists/oss-security/2024/03/29/4
 		2024-04-09 18:38:37 +03:00
..
common Add SPDX license identifier into 0BSD source code files. 2024-02-14 18:31:16 +02:00
liblzma Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094). 2024-04-09 18:38:37 +03:00
lzmainfo Build: Install translated lzmainfo man pages. 2024-02-17 16:23:14 +02:00
scripts xzmore: Fix typo in xzmore.1. 2024-02-21 00:30:43 +08:00
xz xz: Add comments. 2024-02-28 18:33:34 +02:00
xzdec Build: Fix Linux Landlock feature test in Autotools and CMake builds. 2024-02-28 18:31:04 +02:00
Makefile.am Add SPDX license identifier into 0BSD source code files. 2024-02-14 18:31:16 +02:00