On Fri, Mar 29, 2024 at 07:25:56PM -0500, Chris Adams wrote:
Once upon a time, Richard W.M. Jones rjones@redhat.com said:
(1) We built 5.6.0 for Fedora 40 & 41. Jia Tan was very insistent in emails that we should update.
So this wasn't just a "hey, new upstream version", this was PUSHED on distributions by the culprit.
I have to say that this is not unusual. I myself have even sent messages to other maintainers encouraging them to package or update projects that I've written. A keen upstream maintainer wanting to help or encourage downstream packagers is normally welcome. This is the one case and only case that someone turned out to be malicious (that we know about). They abused our trust.
Are they a contributor to any other software in the distribution? I think anything they might have touched has to be considered suspect.
Yes I agree that anything else touched by this "person" should be considered very suspect.
Either (a) their systems have been completely compromised or (b) they did this intentionally. Neither is good.
The back door is intentional for sure. We don't know the details of if this is an account take-over or a "long con" and what the background to all this is, but I'm sure people are looking into that.
(2) We got reports later of a valgrind test failure. I also saw it myself in my own projects that use liblzma. We notified Jia Tan of this.
Why does libsystemd pull in libzma (as well as liblz4 and libzstd, because we need three compression libraries in one place)? That seems to be a broad amount of extra code, for a library that's in a number of network-listening services is just linked for socket activation.
This is a very real issue. Got another email coming up in a bit about this.
Also, while it appears there's more than one developer with Github commit access (one other made commits since the initial "bad" commit), it would seem they aren't doing reviews, so not sure how much xz/liblzma can be trusted to be linked into a whole lot of key programs.
Rich.