Once upon a time, Richard W.M. Jones rjones@redhat.com said:
(1) We built 5.6.0 for Fedora 40 & 41. Jia Tan was very insistent in emails that we should update.
So this wasn't just a "hey, new upstream version", this was PUSHED on distributions by the culprit. Are they a contributor to any other software in the distribution? I think anything they might have touched has to be considered suspect.
Either (a) their systems have been completely compromised or (b) they did this intentionally. Neither is good.
(2) We got reports later of a valgrind test failure. I also saw it myself in my own projects that use liblzma. We notified Jia Tan of this.
Why does libsystemd pull in libzma (as well as liblz4 and libzstd, because we need three compression libraries in one place)? That seems to be a broad amount of extra code, for a library that's in a number of network-listening services is just linked for socket activation.
Also, while it appears there's more than one developer with Github commit access (one other made commits since the initial "bad" commit), it would seem they aren't doing reviews, so not sure how much xz/liblzma can be trusted to be linked into a whole lot of key programs.