← Back to context

Comment by nijave

2 years ago

I think that's a slight mischaracterization. It was present in the repo but obfuscated and rigged to only apply in release artifacts.

A sufficiently technical user could have found it but that bar was pretty high to clear.

2 comments

nijave

Reply
broeng  2 years ago

I'm pretty sure that's incorrect. One portion of the build-to-host buildfile was only present in the release tarball.

https://www.openwall.com/lists/oss-security/2024/03/29/4

  • nijave  2 years ago

    Right but it was injected from data in a "corrupt" xz file in the repo under certain conditions

    >This injects an obfuscated script to be executed at the end of configure. This script is fairly obfuscated and data from "test" .xz files in the repository.

    >The files containing the bulk of the exploit are in an obfuscated form in tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma committed upstream