rw-book-cover

Highlights

2021

  • The first commits they make are not to xz, but they are deeply suspicious. Specifically, they open a PR in libarchive: Added error text to warning when untaring with bsdtar. This commit does a little more than it says. It replaces safe_fprint with an unsafe variant, potentially introducing another vulnerability. The code was merged without any discussion, and lives on to this day (patched). libarchive should also be considered compromised until proven otherwise. (View Highlight)

2022

2023

  • JiaT75 merges their first commit on Jan 7 20231, which gives us good indication into when they fully gain trust. (View Highlight)
  • In July, a PR was opened in oss-fuzz to disable ifunc for fuzzing builds, due to issues introduced by the changes above. This appears to be deliberate to mask the malicious changes that will be introduced soon. (View Highlight)

2024

The discovery

A sudden push for inclusion

  • A request for the vulnerable version to be included in Debian is opened by Hans: (View Highlight)