oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: backdoor in upstream xz/liblzma leading to ssh server compromise

From: Salvatore Bonaccorso <carnil () debian org>
Date: Sat, 30 Mar 2024 20:53:22 +0100
Hi,

On Sat, Mar 30, 2024 at 08:06:06PM +0100, Axel Beckert wrote:

Hi,

On Sat, Mar 30, 2024 at 07:00:42PM +0800, Alexander E. Patrakov wrote:

As GitHub has disabled the repository, the commit links in the
original message no longer work. One of the remaining mirrors is
https://git.rootprojects.org/root/xz


Note that this is not a mirror of the adversary controlled git repo on
Github but a mirror of https://git.tukaani.org/xz.git which is
controlled by the original maintainer according to
https://tukaani.org/xz-backdoor/. (And that repo is still there, too,
even if it gives a 403 Forbidden when accessed with a web browser. You
can still "git clone" from it.)


As a side note for an alternative: there is the Software Heritage
archive  project which has as goal:


The long term goal of the Software Heritage initiative is to collect
all publicly available software in source code form together with its
development history, replicate it massively to ensure its
preservation, and share it with everyone who needs it. The Software
Heritage archive is growing over time as we crawl new source code from
software projects and development forges.


As such for the analysis it is possible to use as well
https://archive.softwareheritage.org/browse/origin/directory/?origin_url=https://github.com/tukaani-project/xz

Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: