i think the biggest news out of today's liblzma backdoor is that someone on earth is still capable of writing m4 code

The malicious injection present in the xz versions 5.6.0 and 5.6.1 libraries is obfuscated and only included in full in the download package - the Git distribution lacks the M4 macro that triggers the build of the malicious code. The second-stage artifacts are present in the Git repository for the injection during the build time, in case the malicious M4 macro is present.

Fascinating. Just yesterday the author added a SECURITY.md file to the xz-java project.

If you discover a security vulnerability in this project please report it privately. Do not disclose it as a public issue. This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.

Reading that in a different light, it says give me time to adjust my exploits and capitalize on any targets. Makes me wonder what other vulns might exist in the author's other projects.

@vyr Yeah I was just talking elsewhere about how Jia isn't just the xz person...

Someone's gonna have to dig through everything they've done for the past year or so.

@trysdyn the other takeaway for today is that if you're a project maintainer, you can get a foreign intelligence agency to do a bunch of scutwork for you on their dime, provided you catch the exploit when it comes