Andres Freund, a developer from Microsoft, reported on the code of the xz project, a widely popular compression program. However, the recent releases, version 5.6.0 and 5.6.1, exhibited strange behaviors. Further investigation revealed that this code was added into the build script from a tarball without being present in the actual repository.
Upon closer inspection, it was found that while the code itself did not malfunction, when the liblzma library was called from OpenSSH, the library attempted to insert functions to replace RSA key decryption functions in OpenSSH. Although the exact intention behind this code manipulation is unclear, it suggests an attempt by developers to breach the secure shell system.
Richard WM Jones, a developer from Red Hat, pointed out that xz developers were attempting to push these new versions into Fedora 40, but faced delays due to memory testing issues from the Valgrind program, a result of code attempting to create vulnerabilities. Andres also mentioned that the inserted code may come from the developers themselves, or their machines might have been hacked. However, based on the communication patterns, suspicions arise regarding the developers’ true intentions.
The developer behind the push for these versions is JiaT75, who has been involved in the xz project for two years. Currently, everyone’s accounts in the xz project on GitHub have been banned.
The impact of the affected xz version is limited, with only a few instances of usage such as in Fedora Rawhide, a development version. Debian recently included the package in their testing version, but the Debian team is now in the process of removing all of JiaT75’s code back to version 5.4.5.
TLDR: Vulnerabilities found in xz project as developers attempt to push new versions, suspicions raised regarding intentions, and subsequent removal of code by Debian team.
Leave a Comment