XZ Project Reveals Audit Results and First Update After Backdoor Detection

Lasse Collin, the original maintainer of the xz project, has transferred the project rights to the new maintainer Jia Tan. Jia Tan’s efforts have resulted in the release of corrected versions of the xz utils 5.2.13, 5.4.7, and 5.6.2 packages, which address the backdoor and other suspicious changes introduced by the previous maintainer.

A report has been published detailing the review of GIT repositories and changes made since December 2022 under Jia Tan’s maintenance. The report identifies and removes 8 harmful commits from the repository. The CRC CLMUL code, which causes false triggers in MSAN and issues with OSS-Fuzz, has not been deleted yet, although plans are underway to address it.

No suspicious changes were found in old commits made before the introduction of the backdoor. Various checks were conducted on Po-files, metadata in TAR files, and release archives and translations. The update also includes error corrections and removal of support for the ifunc mechanism provided by GLIBC.

The XZ logo, PDF versions of MAN pages, and two architecture tests have been removed from the package. Improvements to the XZDEC decoder include support for 4 versions of the ABI version of the Landlock application isolation mechanism. Autotools assembly scripts have been updated, and a new CMAKE script parameter has been added for generating API documentation using Doxygen.

/Reports, release notes, official announcements.