I count a minimum of 750 commits or contributions to xz by Jia Tan, who backdoored it.
This includes all 700 commits made after they merged a pull request in Jan 7 2023, at which point they appear to have already had direct push access, which would have also let them push commits with forged authors.
Probably a number of other commits before that point as well.
Distributions are reverting the identified backdoor. This is insufficient given this volume of activity. Revert to before any of this
see shy jo
in reply to see shy jo • • •We don't need any of the changes they made to xz. xz from 2021 was fine.
They did make commits that claimed to fix an integer overflow, apparently legitimately. So they were deep into analyzing xz security at that point.
github.com/tukaani-project/xz/…
liblzma: lzma_index_append: Add missing integer overflow check. · tukaani-project/xz@18d7fac
GitHubChris Markiewicz
in reply to see shy jo • • •[PATCH 00/11] xz: Updates to license, filters, and compression options
lore.kernel.orgsee shy jo
in reply to see shy jo • • •Debian is considering such a reversion here. I'm glad they're taking the possibility of further backdooring seriously.
(It's not quite as easy to revert as I'd thought it would be.)
bugs.debian.org/1068024
#1068024 - revert to version that does not contain changes by bad actor - Debian Bug report logs
bugs.debian.org