On 04.04.2024 21:47, Ben Greiner wrote:
Am 04.04.24 um 18:58 schrieb Knurpht-openSUSE:
Op donderdag 4 april 2024 18:50:35 CEST schreef Fritz Hudnut:
I thought that would be "obvious" . . . the problem . . . and the response to the problem . . . in regards to efficiency, etc. It only shows that Manjaro did not yet downgrade and is still vulnerable.
It only shows that the Archlinux/Manjaro Maintainers are less than knowledgeable about their packages. Inspite if not building rpm or debian packages they claim to have "fixed" the backdoor while going from 5.6.1-1 to 5.6.2-2 [1].
According to the available information, backdoor was injected by code in the release tarball which was not present in the git. Arch switched from using release tarball to using git: https://gitlab.archlinux.org/archlinux/packaging/packages/xz/-/commit/881385...
The disassembly of liblzma didn't even change between those package versions.
You mean you built both versions and they were identical?