Comment by broeng
2 years ago
I'm pretty sure that's incorrect. One portion of the build-to-host buildfile was only present in the release tarball.
2 years ago
I'm pretty sure that's incorrect. One portion of the build-to-host buildfile was only present in the release tarball.
Right but it was injected from data in a "corrupt" xz file in the repo under certain conditions
>This injects an obfuscated script to be executed at the end of configure. This script is fairly obfuscated and data from "test" .xz files in the repository.
>The files containing the bulk of the exploit are in an obfuscated form in tests/files/bad-3-corrupt_lzma2.xz tests/files/good-large_compressed.lzma committed upstream