While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:
- The executable payloads were embedded as binary blobs in
the test files. This was a blatant violation of the
Debian Free Software Guidelines.
- On machines that see lots bots poking at the SSH port, the backdoor
noticeably increased CPU load, resulting in degraded user experience
and thus overwhelmingly negative user feedback.
- The maintainer who added the backdoor has disappeared.
- Backdoors are bad for security. 5.6.1 (2024-03-09)
IMPORTANT: This fixed bugs in the backdoor (CVE-2024-3094) (someone
had forgot to run Valgrind). Special author: Jia Tan was a co-maintainer in 2022-2024. He and
the team behind him inserted a backdoor (CVE-2024-3094) into
XZ Utils 5.6.0 and 5.6.1 releases. He suddenly disappeared when
this was discovered.Debian and NixOS (and other distros) are already downgrading or discussing to downgrade to versions without those commits.
I think that making a 5.4 or 5.6 release without any of those commits (with stuff reimplemented as needed) would assuage most concerns
It's really sad to see commit messages like this, downplaying the issue. It's also concerning to see libsystemd get a free pass.
The "one guy's little piece of code holding up the world" is a SPOF and much easier to attack than if they had some help and automation.
Typical over-engineering that comes from large corporations.
They will turn FOSS into a walled garden, as if contributing to projects was not a pain already.