Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Mar 2024 12:20:00 -0400
From: Jeffrey Walton <>
Subject: Re: backdoor in upstream xz/liblzma leading to ssh
 server compromise

On Fri, Mar 29, 2024 at 12:10 PM Andres Freund <> wrote:
> After observing a few odd symptoms around liblzma (part of the xz package) on
> Debian sid installations over the last weeks (logins with ssh taking a lot of
> CPU, valgrind errors) I figured out the answer:
> The upstream xz repository and the xz tarballs have been backdoored.
> At first I thought this was a compromise of debian's package, but it turns out
> to be upstream.
> == Compromised Release Tarball ==
> One portion of the backdoor is *solely in the distributed tarballs*. For
> easier reference, here's a link to debian's import of the tarball, but it is
> also present in the tarballs for 5.6.0 and 5.6.1:
> That line is *not* in the upstream source of build-to-host, nor is
> build-to-host used by xz in git.  However, it is present in the tarballs
> released upstream, except for the "source code" links, which I think github
> generates directly from the repository contents:
> [...]

In the past I worked with the xz author on some undefined behavior in
C. His name is Lasse Collin, <>. He was
responsive and helpful.

However, I used the sources from <>, not GitHub.
And it was back in the v5.0 days, not v5.6 or v5.6.1.

I suppose it would be a good idea to give him the information.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.