kernellogger, 2 months ago

Lasse Collin, original author of #Xz, replied on #LKML: https://lore.kernel.org/lkml/20240330144848.102a1e8c@kaneli/

"'"[…] I'm on a holiday and only happened to look at my emails and it seems to be a major mess.

My proper investigation efforts likely start in the first days of April. That is, I currently know only a few facts which alone are bad enough.

Info will be updated here: https://tukaani.org/xz-backdoor/"'"

#CVE20243094 #Linux #kernel #LinuxKernel #Backdoor

lewiscowles1986, 2 months ago

@kernellogger
Poor Lasse. I Hope they have a nice holiday and when they come back, put things just right enough to be able to walk away altogether, unless someone wants to pay them a good salary to work on this crap.

Jia Tan can GTFO and is getting none of my sympathy for now as I'm presently unable to come up with a kind narrative for their actions over years. Career over.

gruifor, 2 months ago

@lewiscowles1986 @kernellogger I think the career of whoever is behind "Jia Tan" is going quite well and will continue to do so.

lewiscowles1986, 2 months ago

@gruifor @kernellogger
Do you think they successfully used the code to create an nth-stage attack to some key web-property then?

Without evidence of that, I like to hope that folks rolled things back quickly enough that we've seen the whole tail

cschabetsberger, 2 months ago

@kernellogger Very interesting too: Lasse Colling pushed a new commit on git(dot)tukaani(dot)org: "CMake: Fix sabotaged Landlock sandbox check."

penguin42, 2 months ago

@cschabetsberger @kernellogger Damn that's subtle! To me that suggests distros need to be holding 'good' config-host files and auditing changes between versions.