The poor original maintainer of xz is on it now, and has already found another "fun" thing: https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00 . The configure check for enabling the Landlock sandboxing facility was subtly broken, so that Landlock support would never get enabled. The original malicious commit landed around the same timeframe as the main backdoor, also at an abnormal time of day compared to the new maintainer's historical activity pattern.
Conversation
Notices
-
Embed this notice
Dave Anderson (danderson@hachyderm.io)'s status on Sunday, 31-Mar-2024 22:49:04 JST Dave Anderson
- clacke likes this.
-
Embed this notice
David Andersen (dave_andersen@hachyderm.io)'s status on Sunday, 31-Mar-2024 22:49:11 JST David Andersen
@danderson that one is deliciously clever. I didn't see it when I looked at the diff despite having been primed to look for something evil.
clacke likes this.