On Sat, 2024-03-30 at 14:06 +0100, Martin Jansa wrote: > From what is publicly known it injected malicious code (through m4 > macro using payload hidden in obfuscated compressed test file) into > built liblzma.so.5 which then hijacks RSA_public_decrypt call e.g. in > sshd (when sshd is built with patch adding systemd notifications > which brings liblzma dependency to sshd e.g. on debian and ubuntu > based systems). > > The build systems which just built this xz version shouldn't be > affected (as it won't be using the liblzma.so from the OE build on > the host). > > This publicly known part should be OK for OE, but it's right to be > worried about the other things which aren't known (not only from > these guys or from xz project).
I concur. It is worrying but I've kind of been expecting something like this for a while unfortunately. We need to watch what is going on and act accordingly if/as anything else becomes known. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197652): https://lists.openembedded.org/g/openembedded-core/message/197652 Mute This Topic: https://lists.openembedded.org/mt/105226831/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-