xz
libarchive
xz | libarchive | |
---|---|---|
24 | 33 | |
160 | 2,893 | |
- | 3.2% | |
9.7 | 9.1 | |
about 2 months ago | 5 days ago | |
C | C | |
GNU General Public License v3.0 or later | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
xz
-
XZ backdoor story – Initial analysis
Very funny. This one:
https://github.com/tukaani-project/xz/commits?author=thesame...
- Xz: Update maintainer and author info. The other maintainer suddenly disappeared
- Thanks Andres Freud
- The xz-utils backdoor has been removed
-
The xz sshd backdoor rabbithole goes quite a bit deeper
> The payload of the 'hack' contains fairly easy ways for the xz hackers to update the payload. They actually used it to remove a real issue where their hackery causes issues with valgrind that might lead to discovering it, and they also used it to release 5.6.1 which rewrites significant chunks;
The valgrind fix in 5.6.1 overwrites the same test files used in 5.6.0 instead of using the injection code's extension hooks. This is done with what should have been a highly suspicious commit: https://github.com/tukaani-project/xz/commit/6e636819e8f0703... - this replaces "random" test files with other "random" test files. The state reson is questionable to begin but not including the seed used when the the purpoted reason was to be able to re-create the files in the future is highly suspicous. This should have raised red flags bug no one was watching. I'd say this is another part of the operation that was much more sloppy than it needed to be.
-
Timeline of the xz open source attack
In https://archive.softwareheritage.org/browse/revision/e446ab7...
-
GitHub Disabled the Xz Repo
You're right, but maybe because there's nothing to see : https://github.com/tukaani-project/xz
- Xz Repository Censored by GitHub
- Backdoor in upstream xz/liblzma leading to SSH server compromise
- The Return of the Frame Pointers
libarchive
-
The XZ attack and timeline
29. October 2021 At this point Jia Tan pops up, and the first thing we see from him is an innocuous patch to the xz repository, and while a lot of people believe he started out trying his luck with another library also known as libarchive, this is not the case, I would bet it’s more of a backup looking at the dates, being that there are a few days in between as shown in this commit.
- Zip entry size unset now honors user requested compression level
- Suspicious libarchive pull request
-
Backdoor in upstream xz/liblzma leading to SSH server compromise
Potentially malicious commit by same author on libarchive: https://github.com/libarchive/libarchive/pull/1609
- WinRAR musste shady werden.
-
Making Amiga IFF Thumbnails Work in Linux
Full agreement, and with the addition of xpk¹/xfd² as natural extensions to that extensibility too. I see things like xfd supporting xz¹, and I'm simultaneously amazed that it exists and happy that I don't need to do xz {,de}compression on 68k ;)
I guess we have something similar-ish with libarchive⁴, but nobody(including me) has pushed the extra mile to get file dialogs to support random compression and decompression formats.
Beyond OT: I didn't realise how much stuff was still going on at aminet, but I love love LOVE that people are still dropping new car sets for Geoff Crammond's F1GP.
¹ http://aminet.net/package/util/pack/xpk_User
² http://aminet.net/package/util/pack/xfdmaster
³ http://aminet.net/package/util/pack/xfd_lzma.lha
⁴ https://www.libarchive.org/
-
WinRAR zero-day exploited since April to hack trading accounts
I don't have a preview channel install handy to check, but apparently they're using libarchive so here's the full list assuming they expose everything it supports:
https://github.com/libarchive/libarchive/wiki/LibarchiveForm...
-
Announcing Windows 11 Insider Preview Build 23493 for the Dev Channel
As announced at the Build conference back in May, this build adds native support for reading additional archive file formats using the libarchive open-source project such as
-
Poor winrar
LibarchiveFormats · libarchive/libarchive Wiki · GitHub
-
Windows 11 getting native support for 7-Zip, RAR, and GZ archives
Seems what they're using is BSD-liscensed: https://github.com/libarchive/libarchive/wiki
What are some alternatives?
wasmtime - A fast and secure runtime for WebAssembly
ZLib - A massively spiffy yet delicately unobtrusive compression library.
stencil-golang - Template repository for Golang applications
7z - Because 7-zip source code was in a 7z archive [mirror]
tukaani-project
p7zip - A new p7zip fork with additional codecs and improvements (forked from https://sourceforge.net/projects/sevenzip/ AND https://sourceforge.net/projects/p7zip/).
Folly - An open-source C++ library developed and used at Facebook.
fpart - Sort files and pack them into partitions
freedesktop-sdk
pixz - Parallel, indexed xz compressor
systemd - The systemd System and Service Manager
Klib - A standalone and lightweight C library