Bug 2272210 (CVE-2024-3094) - CVE-2024-3094 xz: malicious code in distributed source
Summary: CVE-2024-3094 xz: malicious code in distributed source
Status: NEW
Alias: CVE-2024-3094
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
Depends On:
Blocks: 2272206
TreeView+ depends on / blocked
Reported: 2024-03-29 15:56 UTC by Zack Miele
Modified: 2024-04-17 06:56 UTC (History)
51 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Zack Miele 2024-03-29 15:56:47 UTC
Malicious code discovered in the tarballs distributed from upstream sources beginning in 5.6.0.

Note You need to log in before you can comment on or make changes to this bug.