Upstream malicious bug in 5.6.0 and 5.6.1

alexcrichton / xz2-rs

Bindings to liblzma in Rust (xz streams in Rust)

Apache License 2.0

81 stars 52 forks source link

Closed NobodyXu closed 5 months ago

NobodyXu commented 5 months ago

Probably a good idea to update the compilation of vendored xz to use <5.6.0

NobodyXu commented 5 months ago

Oh it seems that we are using xz 5.4, so it should ok

kennytm commented 5 months ago

Not even 5.4, we are using xz 5.2.5 (#65) :joy:. No one reviewed the update to 5.4.1 #108.

NobodyXu commented 5 months ago

Thanks for correction, I guess it is actually a good thing it hasn't been merged.

NobodyXu commented 5 months ago

At the very least, people using vendored xz-rs and lxmz won't get hit by the malicious code.