What is Nostr?
fusion44
npub1fus…gatx
2024-03-30 10:03:05

fusion44 on Nostr: Things will get more interesting as the author of the malicious code has even more ...

Things will get more interesting as the author of the malicious code has even more suspicious PRs for libarchive:

https://github.com/libarchive/libarchive/pull/1609

He replaced safe printf calls with unsafe versions. We as devs must be more vigilant when we accept PRs and add new dependencies.

Heads up if using the testing / unstable version of Debian, Ubuntu, NixOS or other Linux OS based on these, there is malicious code in the latest xz package: https://www.openwall.com/lists/oss-security/2024/03/29/4

>The malicious injection present in the xz versions 5.6.0 and 5.6.1
>Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux distributions, and where they have, mostly in pre-release versions.

Running stable versions are fine:

₿ xz --version
xz (XZ Utils) 5.4.1
liblzma 5.4.1
Author Public Key
npub1fusn44jf2h4zc7pal32a87qzhu2ruf49kd4vaws97d02jddnhs6s98gatx