Conclusions from CVE-2024-3094 (libxz disaster)

Oldřich Jedlička oldium.pro at gmail.com
Sat Mar 30 14:54:00 PDT 2024


Hi,

so 30. 3. 2024 v 16:31 odesílatel Daniel Golle <daniel at makrotopia.org> napsal:
> Hiding a malicious change in a commit is infinitely harder than hiding
> it in a tarball.

Just a note: The malicious code was part of the tarball because it was
part of the main Git repository in the first place. Using Git would
not help in any way in this particular case. Just check [1] together
with findings [2].

[1]: https://git.tukaani.org/?p=xz.git;a=shortlog
[2]: https://boehs.org/node/everything-i-know-about-the-xz-backdoor

Cheers
Oldrich.



More information about the openwrt-devel mailing list