Malicious code in Linux xz Utils tool

A researcher stumbled on malicious code in the Linux compression tool xz Utils that had been secretly introduced into versions ​​5.6.0 and 5.6.1 of this tool.  The malicious versions were submitted under the name "JiaT75", one of two main xz Utils developers, who has been contributing to the project for years and has the clout to make and approve changes.

So far, no reports the malicious code has been incorporated into production releases of major Linux distributions, but Red Hat and Debian report recently published beta releases use at least one of the affected versions of the utility, specifically Fedora Rawhide and Debian testing. A stable release of Arch Linux is also affected.

JiaT75 apparently also asked the main developers/maintainers of Ubuntu and Fedora to include a malicious version of xz Utils in their fully released versions, claiming it fixes bugs causing the Linux Valgrind tool to malfunction.

Anyone using Linux should check directly with their distributor immediately to determine if their system is affected. A script has been created to test for the malicious code.

Read more here...