On 3/29/24 11:07 PM, Eddie Chapman wrote:
> Given what we've learnt in the last 24hrs about xz utilities, you could
> forgive a paranoid person for seriously considering getting rid entirely
> of them from their systems, especially since there are suitable
> alternatives available.  Some might say that's a bit extreme, xz-utils
> will get a thorough audit and it will all be fine. But when a malicious
> actor has been a key maintainer of something as complex as a decompression
> utility for years, I'm not sure I could ever trust that codebase again.
> Maybe a complete rewrite will emerge, but I'm personally unwilling to
> continue using xz utils in the meantime for uncompressing anything on my
> systems, even if it is done by an unprivileged process.


It suffices to downgrade to the version of xz before a social
engineering attack by a malicious actor to gain maintainership of the xz
project.

Have you been linked to this yet?
https://www.mail-archive.com/xz-devel@tukaani.org/msg00571.html


-- 
Eli Schwartz