Another backdoor found in xz package
Description:
Hi
Another issue was found in xz, this time in the actual source code: https://news.ycombinator.com/item?id=39874404
A malicious commit was added by Jia Tan, that adds an erroneus dot which interferes with landlock: https://git.tukaani.org/?p=xz.git;a=blobdiff;f=CMakeLists.txt;h=d2b1af7ab0ab759b6805ced3dff2555e2a4b3f8e;hp=76700591059711e3a4da5b45cf58474dac4e12a7;hb=328c52da8a2bbb81307644efdb58db2c422d9ba7;hpb=eb8ad59e9bab32a8d655796afd39597ea6dcc64d
This has since been fixed by Lasse Collin, the main xz maintainer: https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00
It appears that this will require an additional patch added to the PKGBUILD, beyond the changes recently made.
Additional info:
- package version(s): 5.6.1
- config and/or log files:
- link to upstream bug report, if any: https://git.tukaani.org/?p=xz.git;a=commitdiff;h=f9cf4c05edd14dedfe63833f8ccbe41b55823b00