On March 29, 2024, a report exposing a backdoor in the upstream source code of the controversial open-source project, the xz software package, was mad

xz/liblzma Backdoor: Open Source Nuke? Maybe Not That Bad!

submited by

Style Pass

2024-04-01 03:00:05

On March 29, 2024, a report exposing a backdoor in the upstream source code of the controversial open-source project, the xz software package, was made public on the oss-security mailing list. This backdoor affected the liblzma library, which is a part of the xz software package. Following the initial report, further research was conducted, and the key findings are as follows:

The backdoor was present in its entirety in the released xz source code packages (versions 5.6.0 and 5.6.1). However, in the upstream Git repository, it was disguised as test data and not inserted as payload into liblzma. The payload injection occurred separately by adding the wake-up code to the source code package before packaging it. Therefore, the backdoor does not exist in the liblzma compiled from the Git repository or the source code packages generated by GitHub.

The injected code modified the build system to include malicious files, which were executed during the build process, leading to further payload injection.