The xz backdoor was not about safety. Nor was it really about compilation or com... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		asveikau on April 4, 2024 \| parent \| context \| favorite \| on: Jpegli: A new JPEG coding library The xz backdoor was not about safety. Nor was it really about compilation or compile time checks -- they slipped an extra object file to the linker.

nigeltao on April 4, 2024 [–]

You're right that Wuffs' memory-safety isn't relevant for this attack.

Still, Wuffs doesn't use autotools, and if you're pulling the library from the https://github.com/google/wuffs-mirror-release-c repository then that repo doesn't even contain any binary-data test files.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact