2024年03月29日

xz/liblzma Got Backdoored (CVE-2024-3094)

The xz backdoor got caught. This affects versions 5.6 - 5.6.1. The safe version is probably 5.6.1-3. Around 2 years of commit is to be undone or have to be checked for other backdoors. Stable distros are not affected compared to rolling release distros.

The backdoor was present on the build process, not in the source code. I think it was used to inject it after building it.

Assigned CVE-2024-3094 with a score of 10/10.

Refer to https://www.openwall.com/lists/oss-security/2024/03/29/4.