Open msftedge opened 3 months ago
// E.g. read a wholesome file provided kindly by the XZ maintainer
Is this the same exact payload used to backdoor xz?
Is this exploit applicable to any linux, or does it only target debian/redhat distributions?
Is this exploit applicable to any linux, or does it only target debian/redhat distributions?
xz-utils version 5.6.0 and 5.6.1 are compromised, if you are not using debian sid or other bleeding edge distro you should be fine.
@64ArthurAraujo It was just a joke about this issue because the entire issue is itself a joke.
@64ArthurAraujo It was just a joke about this issue because the entire issue is itself a joke.
i tought you were asking about the xz vulnerability lol
Good second issue! Unfortunately the maintainer would have considered this as a great new feature.
lgtm
Damn, he was just trying to make sure he can get a hold of you about your cars extended warranty...
Don't worry, we'll just raise a PR in oss-fuzz to skip checking for stack buffer overflow in this repo :)
LGTM
Good afternoon,
There is a stack-based buffer overflow vulnerability in various functions of this library, including stest_assert_string_equal and assert_n_array_equal. If the library is used to test untrusted input (for example, a file you found in tukaani-project/xz) a devious individual would be able to construct a malicious file to achieve arbitrary code execution on anyone running the tests.
I have included an example of how it might look on x86_64 Linux. Here as an example I hijack the return to go to a predefined function, but of course you could ROP instead.
I trust you will fix this issue promptly, I am sure security is a high priority.