iyanmv Apparently, upstream introduced a backdoor in the source code with this commit: https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0 More info in this email list thread: https://www.openwall.com/lists/oss-security/2024/03/29/4
Titan_M2 GrapheneOS servers use Arch Linux so the malicious package was installed although the backdoor didn't work on Arch. It remain to be seen what damage the developer may have done to other packages in the past.
fid02 https://x.com/GrapheneOS/status/1773818449208189373?s=20 No, check the information at the bottom of https://archlinux.org/news/the-xz-package-has-been-backdoored/. That part of the backdoor also hard-wired things which wouldn't have worked on Arch. However, the xz project and any other project involving the same developers needs to be investigated for more backdoors now... [...] See https://boehs.org/node/everything-i-know-about-the-xz-backdoor. We're looking into the directly relevant parts to us but it could be used to compromise other open source projects and spread from there. Quite a disaster for the whole system of relying on volunteers maintaining a huge fragmented set of packages.