/origin/ - origin

SSH backdoor in upstream xz/liblzma release tarballs!
https://www.openwall.com/lists/oss-security/2024/03/29/4

>After observing a few odd symptoms around liblzma (part of the xz package) on
Debian sid installations over the last weeks (logins with ssh taking a lot of
CPU, valgrind errors) I figured out the answer:
>The upstream xz repository and the xz tarballs have been backdoored.
>At first I thought this was a compromise of debian's package, but it turns out
to be upstream.

xz-java.png
[Hide] (53.8KB, 1047x547) Reverse

This commit was extra smelly.

012904fdbf85b716b12f66d4bcdb476dde213d5ab5707566fe53b10fa93c68f5.png
[Hide] (198.2KB, 939x697) Reverse

https://boards.4chan.org/g/thread/99736773/#p99745030
https://desuarchive.org/g/thread/99736773/#99745030
Here's /g/ chasing squirrels.

99b6bba9ba2bb148e81e4d9afb6b01b87e12d67a43c1cb4bbaabc96bf2921d85.png
[Hide] (56.4KB, 608x621) Reverse

6abe3e15a6f6902634bf9e3c6851a4a6cf739bbf8b9ce6b0f486ba06d799261e.png
[Hide] (48.8KB, 1405x408) Reverse

Some more discussion on HN and that other blue site:
https://news.ycombinator.com/item?id=39877267
https://bsky.app/profile/filippo.abyssdomain.expert/post/3kowjkx2njy2b

39d34b8bbd694b305689f1fc82129a1be46f895f229ae59d899770f0d13c3ed9.png
[Hide] (54.6KB, 947x671) Reverse

The legend even made the logo.

Ricardo_Juchem_paged_out.png
[Hide] (337.4KB, 510x701) Reverse

https://gynvael.coldwind.pl/?id=782
Here's a neat write-up that gets into the meat of it.