Closed alexanderveit closed 4 months ago
Note I am not the maintaimer. This is just my opinion.
Its unlikely that the java version is affected. I have checked all commits of the malicious actor. They appear fine. There is only 1 commit that even implements any meaningful code and that one only appears to do legit stuff.
If you clone the repo and build from src you are going to be unaffeced. I did not yet have the time to decompile every class on the maven central release and compare it with the source code to see if its plausibly the same. The only way the malicious actor could have snuck something in is if he published the release there and the source in the repo doesnt match the source used to compile the maven central release. In general its much much harder to hide an exploit in a java class compared to what malicous actor did in the c/native version. I have no reason to belive that the malicous actor actually made the release as it is at least on github signed by the good maintainer. It would be weird for the release on github and nexus to use different jars. Just compare the sha values (I cant do this currently as I dont have access to a Computer). Even then due to the high profile this attack has received someone has already 100% decompiled the releases and checked them. This can probably be done in about an hour by someone skilled with a decompiler.
I personally dont think the java lib contains anything malicous.
I had hoped my replies in https://github.com/tukaani-project/xz-java/issues/14 had already clarified this. The Git repository and 1.9 are fine, including the binaries. Normal bugs only.
I hadnt read that bug, my bad. The title and bug label doesnt make it obvieus that its about the cve. Once I read the content of that issue everything was crystal clear. Perhaps close this issue and give the other a more obvieus name.
Can you confirm that xz-java, specifically version 1.9 (
org.tukaani:xz:1.9
) is not affected by CVE-2024-3094?Thank you very much in advance.