Backdoor in XZ Utils That Almost Happened

Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention--but it should. There’s an important moral to the story of the attack and its discovery: The...

Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution

The malicious code inserted into the open-source library XZ Utils, a widely used package present in major Linux distributions, is also capable of facilitating remote code execution, a new analysis has revealed. The audacious supply chain compromise, tracked as CVE-2024-3094 CVSS score: 10.0, came...

XZ: Embedded Malicious Code (CVE-2024-3094)

A Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code. This file is then used to modify specific...

XZ Utils SSHd Backdoor

On March 29th, 2024, security researcher Andres Freund discovered a backdoor in XZ Utils versions 5.6.0 and 5.6.1. Under certain conditions, this backdoor may allow remote access to the targeted system. This disclosure was posted to the Openwall mailing list. The security researcher mentions that...

Exploit for Embedded Malicious Code in Tukaani Xz

CVE-2024-3094 checker xz Utils versions 5.6.0 and 5.6.1 appea...

PT-2024-2451

Name of the Vulnerable Software and Affected Versions XZ Utils versions 5.6.0 through 5.6.1 Description Malicious code was discovered in the upstream tarballs of XZ Utils. Through complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file in the...

Fedora: Security Advisory for xz-java (FEDORA-2024-129d8ca6fc)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 40 Update: xz-java-1.9-10.fc40

A complete implementation of XZ data compression in Java. It features full support for the .xz file format specification version 1.0.4, single-threaded streamed compression and decompression, single-threaded decompression with limited random access support, raw streams no .xz headers for advanced...

[SECURITY] Fedora 40 Update: jzlib-1.1.3-30.fc40

The zlib is designed to be a free, general-purpose, legally unencumbered -- that is, not covered by any patents -- loss-less data-compression library for use on virtually any computer hardware and operating system. The zlib was written by Jean-loup Gailly compression and Mark Adler decompression...

zlib: Buffer Overflow

Background zlib is a widely used free and patent unencumbered data compression library. Description A vulnerability has been discovered in zlib. Please review the CVE identifier referenced below for details. Impact MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffe...

What is WAN Acceleration?

Hook: Network Sluggish? Learn What WAN Acceleration Is Ever been in a virtual meeting that froze at the worst possible moment? Or had your staff grumble about slow data transfers that are as slow as molasses? If your answer is a weary "yes," it's high time to turn your eyes toward WAN Acceleratio...

CVE-2023-43642

A flaw was found in SnappyInputStream in snappy-java, a data compression library in Java. This issue occurs when decompressing data with a too-large chunk size due to a missing upper bound check on chunk length. An unrecoverable fatal error can occur, resulting in a Denial of Service DoS...

Researchers Uncover New GPU Side-Channel Vulnerability Leaking Sensitive Data

A novel side-channel attack called GPU.zip renders virtually all modern graphics processing units GPU vulnerable to information leakage. "This channel exploits an optimization that is data dependent, software transparent, and present in nearly all modern GPUs: graphical data compression," a group...

The vulnerability of the HandleFileArg function in the XML data compression tool Xmill allows a attacker to execute arbitrary code.

The vulnerability of the HandleFileArgl function in the XML data compression tool Xmill is related to a memory boundary error during the processing of XML files. Exploiting this vulnerability can allow a local attacker to execute arbitrary code...

The vulnerability of the DecodeTreeBlock function in the XML data compression tool Xmill allows a hacker to execute arbitrary code.

The vulnerability of the DecodeTreeBlock function in the XML data compression tool Xmill is related to the execution of operations outside the buffer in memory. Exploiting this vulnerability could allow a remote attacker to execute arbitrary code...

AdvanceCOMP 安全漏洞

AdvanceCOMP is a cross-platform command line tool for data compression. The product is capable of optimizing compressed files and reducing compressed file size. A security vulnerability exists in AdvanceCOMP that stems from a segmentation error flaw resulting in reduced usability...

The vulnerability of the ParseAttribs function in the XML data compression tool Xmill allows a attacker to execute arbitrary code.

The vulnerability of the ParseAttribs function in the XML data compression tool Xmill is related to memory corruption caused by a specially crafted XML file. Exploiting this vulnerability allows an attacker to execute arbitrary code remotely...

Vulnerability of the Decompression Enumeration function in Uncompressor::UncompressItem. This compression tool for XML data allows attackers to execute arbitrary code.

Vulnerability of Decompression Enumeration function: Uncompressor::UncompressItem, an XML data compression tool, is vulnerable to a memory boundary error during XML file processing. Exploiting this vulnerability allows an attacker to execute arbitrary code remotely...

minizip, zlib security update

CentOS Errata and Security Advisory CESA-2023:1095 An update for zlib is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

Moderate: Red Hat Security Advisory: zlib security update

An update for zlib is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the C...