Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-3094 PoC — Xz: malicious code in distributed source

Source
https://github.com/TheTorjanCaptain/CVE-2024-3094-Checker
Associated Vulnerability
Title:Xz: malicious code in distributed source (CVE-2024-3094)
Description:Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Description
The repository consists of a checker file that confirms if your xz version and xz-utils package is vulnerable to CVE-2024-3094.
Readme
# CVE-2024-3094-Checker
The repository consists of a checker file that confirms if your xz version and xz-utils package is vulnerable to CVE-2024-3094.

# Disclaimer:
1. This script is provided without any warranty, express or implied.
2. By choosing to execute this script, you accept full responsibility for any consequences that may arise.
3. The author(s) disclaim liability for any damages or issues, including data loss or system instability, resulting from its use.
4. Before running this script, it is advisable to carefully review its functionality and ensure appropriate backups are in place.
5. Your use of this script implies your acknowledgment and acceptance of these terms.
   ~Author: TheTorjanCaptain


# Installation

1. Download the code(Hope you know how) or copy the raw data to a .sh file.
2. chmod +x filename.sh
3. ./filename.sh


# Mitigations
Please upgrade to a latest version or downgrade to a stable version.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →