Lasse Collin, the author and maintainer of the xz project, who recently granted rights to the second maintainer of Jia Tan, whose activities led to the introduction of the backdoor, published corrective releases of the XZ Utils package 5.2.13, 5.4.7 and 5.6.2, which removed the backdoor components and other suspicious changes previously accepted from Jia Tan.
In addition, a review report on the Git repository and changes added since December 2022 during Jia Tan's tenure as maintainer has been published. Changes are parsed at the level of individual commits. Commits in the repository were not digitally signed, but there were no signs of forgery on the part of the committers. A total of 8 malicious commits were removed from the repository.
The CLMUL CRC code has not yet been removed from the codebase, which leads to false positives when checking in MSAN (Memory sanitizer) and problems with OSS Fuzz. In the future, this code is planned to be reworked, but so far it has been decided not to touch it in order to avoid regressions in old branches. No suspicious changes were detected in old commits added before changes were made related to the promotion of the backdoor. Localization po files, metadata in tar files, and archives with releases and translations were checked separately.
The changes also include the inclusion of accumulated bug fixes and the removal of support for the IFUNC mechanism provided in Glibc for indirect function calls, which was used to organize function interception in the backdoor. It is noted that using IFUNC only complicates the code, and the performance gain from it is insignificant. As a safety net, the XZ logo, PDF versions of man pages, and two tests for x86 and SPARC architectures that processed object files as input were also removed from the source package.
Among the new features, the xzdec decoder now supports version 4 of the ABI of the Landlock application isolation mechanism. The "--enable-doxygen" option has been added to Autotools build scripts, and the ENABLE_DOXYGEN option has been added to Cmake scripts to generate and install documentation for the liblzma API using Doxygen. The already generated documentation has been removed from the package.
In addition, a review report on the Git repository and changes added since December 2022 during Jia Tan's tenure as maintainer has been published. Changes are parsed at the level of individual commits. Commits in the repository were not digitally signed, but there were no signs of forgery on the part of the committers. A total of 8 malicious commits were removed from the repository.
The CLMUL CRC code has not yet been removed from the codebase, which leads to false positives when checking in MSAN (Memory sanitizer) and problems with OSS Fuzz. In the future, this code is planned to be reworked, but so far it has been decided not to touch it in order to avoid regressions in old branches. No suspicious changes were detected in old commits added before changes were made related to the promotion of the backdoor. Localization po files, metadata in tar files, and archives with releases and translations were checked separately.
The changes also include the inclusion of accumulated bug fixes and the removal of support for the IFUNC mechanism provided in Glibc for indirect function calls, which was used to organize function interception in the backdoor. It is noted that using IFUNC only complicates the code, and the performance gain from it is insignificant. As a safety net, the XZ logo, PDF versions of man pages, and two tests for x86 and SPARC architectures that processed object files as input were also removed from the source package.
Among the new features, the xzdec decoder now supports version 4 of the ABI of the Landlock application isolation mechanism. The "--enable-doxygen" option has been added to Autotools build scripts, and the ENABLE_DOXYGEN option has been added to Cmake scripts to generate and install documentation for the liblzma API using Doxygen. The already generated documentation has been removed from the package.
