Red Hat Warns Fedora Linux 40/41 and Rawhide Users About Critical Security Flaw
It would appear that the upstream tarballs of the XZ Utils 5.6.0 package, which is distributed via GitHub or the project’s official website, included some extra .m4 files that contained instructions for building the software with a version of GNU Automake that did not exist in the repository.
During the compilation of the liblzma library, a prebuilt object file is extracted from one of the test archives and used to modify specific functions in XZ Utils’ code. Since the liblzma library is being used by software like sshd, it could be used by a malicious actor to gain remote access to the vulnerable system.