AndresFreundTecI accidentally found a security issue while benchmarking postgres changes.
If you run debian testing, unstable or some other more "bleeding edge" distribution, I strongly recommend upgrading ASAP.
I was doing some micro-benchmarking at the time, needed to quiesce the system to reduce noise. Saw sshd processes were using a surprising amount of CPU, despite immediately failing because of wrong usernames etc. Profiled sshd, showing lots of cpu time in liblzma, with perf unable to attribute it to a symbol. Got suspicious. Recalled that I had seen an odd valgrind complaint in automated testing of postgres, a few weeks earlier, after package updates.
Really required a lot of coincidences.
sweet@AndresFreundTec its kind of sad reading the mailing list for the old maintainer to xz-utils / liblzma. Dude was single-handedly maintaining it after creating it as a hobby project, he got driven into the ground and he passed the project off to the culprit after being urged to (rudely) to give it up. This should be a wake up call tbh this shouldn't happen to projects that have on maintainer and that literally hold the entire tech industry and linux ecosystem on their shoulders
Serinus
Matteꙮ Italia@sweet @AndresFreundTec https://www.mail-archive.com/xz-devel@tukaani.org/msg00566.html this thread, right? IDK if the people here were other sockpuppets or just happened to steer in the direction that Jia Tan desired, still read in retrospective feels really like a team up to force Lasse to give up control of the project.
@sweet @AndresFreundTec searching a bit, Jigar Kummar is an extremely common name, and in the mailing list seemed to post only to bash on the slow development/not merging of features https://www.mail-archive.com/search?l=xz-d[email protected]&q=from:%22Jigar+Kumar%22 so it seems like an obvious sockpuppet; Dennis Ens has some more non-aggressive activity https://www.mail-archive.com/search?l=xz-d[email protected]&q=from:%22Dennis+Ens%22 , but ultimately in that thread it felt really like a bad cop/good cop dynamic, with Lasse badly pressured in the middle.