Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is the original git repository still available somewhere?


Note the malicious m4 build scripts were not checked into git, but only put in the released tar balls. You can see the original content here:

https://salsa.debian.org/debian/xz-utils/-/tree/debian/5.6.0...


The test file containing the backdoor seems to be here:

https://git.rootprojects.org/root/xz/commit/6e636819e8f07033...


Yes, the binary "test files" were checked in. But the code that actually decompresses and executes the shell code in that file is in this m4 script, which only exists in the tar archive:

https://salsa.debian.org/debian/xz-utils/-/blob/debian/5.6.0...


Yes: https://git.rootprojects.org/root/xz




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: