Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0 (CVE-2024-3094). Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that, when loaded by the “opensshd” process, will be able to alter SSH communications.

An investigation of AdaCore-produced software and supply chain showed that the 5.6.0 version compromised sources were used between the 28th of February and the 1st of April. Nevertheless, the context in which the liblzma library build was done did not trigger the inclusion of the malware in our liblzma builds. Despite not being impacted, AdaCore has decided to downgrade the version of that library to the previously used version in the supply chain, which was 5.2.4. The malicious source tarball and all build artifacts that contain that source code in their closure are being removed from all our systems. In addition, customers who have received software from AdaCore that had the malicious xz sources in their closure have been notified.

Document Control Information





Nicolas Roche