Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-3094 PoC — Xz: malicious code in distributed source

Source
https://github.com/dah4k/CVE-2024-3094
Associated Vulnerability
Title:Xz: malicious code in distributed source (CVE-2024-3094)
Description:Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
File Snapshot

 [4.0K]  /data/pocs/cfef4f9076bc26d7f4103f4d1e7bf3a3dd6b983d
├── [ 809]  Dockerfile.fedora
├── [4.0K]  files
│   ├── [2.5K]  jia_tan_pubkey.txt.zip
│   ├── [1.9K]  MANIFEST.adoc
│   ├── [2.9M]  xz-5.6.0-3.fc40.src.rpm
│   ├── [2.9M]  xz-5.6.1-1.fc41.src.rpm
│   ├── [1.4M]  xz-5.6.1-src.tar.gz
│   ├── [2.2M]  xz-5.6.1.tar.bz2
│   ├── [ 566]  xz-5.6.1.tar.bz2.sig
│   ├── [2.9M]  xz-5.6.1.tar.gz
│   ├── [ 566]  xz-5.6.1.tar.gz.sig
│   ├── [1.7M]  xz-5.6.1.tar.xz
│   ├── [ 566]  xz-5.6.1.tar.xz.sig
│   ├── [1.8M]  xz-5.6.1.tar.zst
│   ├── [ 566]  xz-5.6.1.tar.zst.sig
│   └── [1.6M]  xz-5.6.1.zip
└── [ 291]  Makefile

1 directory, 16 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →