Malicious code in XZ_jll.jl (v5.6.1+0) ; it could pose a problem?

Based on my examination of the package https://juliahub.com/ui/Packages/General/XZ_jll - XZ_jll.jl (v5.6.1+0)
it appears to be connected to a security issue detailed here: https://www.phoronix.com/news/XZ-CVE-2024-3094

  • “Some malicious code was added to XZ 5.6.0/5.6.1 that could allow unauthorized remote system access.”

This security issue is probably not critical in Julia in XZ_jll.jl (v5.6.1+0),
but could someone check if it could pose a problem?

4 Likes

Work in progress … :juliaheartpulsing: :juliaspinner: :juliaheartpulsing:

check:

$ docker run -it --rm julia:1.11-rc julia
               _
   _       _ _(_)_     |  Documentation: https://docs.julialang.org
  (_)     | (_) (_)    |
   _ _   _| |_  __ _   |  Type "?" for help, "]?" for Pkg help.
  | | | | | | |/ _` |  |
  | | |_| | | | (_| |  |  Version 1.11.0-alpha2 (2024-03-18)
 _/ |\__'_|_|_|\__'_|  |  Official https://julialang.org/ release
|__/                   |

(@v1.11) pkg> add XZ_jll
  Installing known registries into `~/.julia`
    Updating registry at `~/.julia/registries/General.toml`
   Resolving package versions...
   Installed JLLWrappers ─ v1.5.0
   Installed XZ_jll ────── v5.4.6+0
   Installed Preferences ─ v1.4.3
    Updating `~/.julia/environments/v1.11/Project.toml`
  [ffd25f8a] + XZ_jll v5.4.6+0
    Updating `~/.julia/environments/v1.11/Manifest.toml`
  [692b3bcd] + JLLWrappers v1.5.0
  [21216c6a] + Preferences v1.4.3
  [ffd25f8a] + XZ_jll v5.4.6+0
  [56f22d72] + Artifacts v1.11.0
  [ade2ca70] + Dates v1.11.0
  [8f399da3] + Libdl v1.11.0
  [de0858da] + Printf v1.11.0
  [fa267f1f] + TOML v1.0.3
  [4ec0a83e] + Unicode v1.11.0
Precompiling project...
  3 dependencies successfully precompiled in 4 seconds. 4 already precompiled.
4 Likes

Related julia codes ( by github search )

1 Like
6 Likes