-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZipArchive may have attracted curiosity of Jia Tan #699
Comments
Coeur
changed the title
ZipArchive may has a po
ZipArchive may have attracted curiosity of Jiat Tan
Apr 2, 2024
Coeur
changed the title
ZipArchive may have attracted curiosity of Jiat Tan
ZipArchive may have attracted curiosity of Jia Tan
Apr 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jia Tan, now famous for incorporating a state-sponsored backdoor to the archive tool
xz
CVE-2024-3094 (CVSS score: 10.0), affecting xz 3.6.0 and 3.6.1, had forked ZipArchive in the past:https://github.com/Jiat75/ZipArchive/
Luckily, they apparently didn't go beyond that for our project. And they apparently didn't fork minizip.
Note that
xz
wasn't their only target, since they also tried their hand on libarchive:libarchive/libarchive#1609 (affecting multiple releases, fixed in libarchive 3.7.2_1)
The text was updated successfully, but these errors were encountered: