fusion44 on Nostr: Things will get more interesting as the author of the malicious code has even more ...
Things will get more interesting as the author of the malicious code has even more suspicious PRs for libarchive:
https://github.com/libarchive/libarchive/pull/1609
He replaced safe printf calls with unsafe versions. We as devs must be more vigilant when we accept PRs and add new dependencies.
https://github.com/libarchive/libarchive/pull/1609
He replaced safe printf calls with unsafe versions. We as devs must be more vigilant when we accept PRs and add new dependencies.
quoting nevent1q…ww3fHeads up if using the testing / unstable version of Debian, Ubuntu, NixOS or other Linux OS based on these, there is malicious code in the latest xz package: https://www.openwall.com/lists/oss-security/2024/03/29/4
>The malicious injection present in the xz versions 5.6.0 and 5.6.1
>Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux distributions, and where they have, mostly in pre-release versions.
Running stable versions are fine:
₿ xz --version
xz (XZ Utils) 5.4.1
liblzma 5.4.1