Bug#1110476: Docker Hub Debian image contains CVE-2024-3094 backdoor

[Takahiro Haruyama <takahiro@binarly.io>]

Package: cloud.debian.org
Version: N/A
X-Debbugs-CC: fabio@binarly.io, alex@binarly.io

Hi,

This month, we identified that ten Debian official base images
published on Docker Hub still contained one of the xz-utils backdoors
(CVE-2024-3094).
Could you please remove these images from Docker Hub?

Affected Image Tags & Manifest Digests:
- rc-buggy-20240311
(a702c7f4bb57a17762e258871f45f8273ae49bec5515452d5133e66450c95ba5)
- experimental-20240311
(81992d9d8eb99b5cde98ba557a38a171e047b222a767dc7ec0ffe0a194b1c469)
- unstable-20240311-slim
(7a3332fbf100a0ef9762ead20a4224665768b237c5bfedfe0f86bf88e0c13b7a)
- unstable-20240311
(8690225da3ca369e9be720446f73e0aa06f290776fdf2605b6ec80c2b229b9f6)
- trixie-20240311-slim
(d4e306f14b8b7389b36be8fb0eadab638cb7744546a33a74f0fc27bb9037dc14)
- trixie-20240311
(85068c773f7fcc9c9acd8f244759cb2131e7a1775c5bf8d6710f76e7467fa3f1)
- testing-20240311-slim
(c2e15dd5788b20f360ab3f2d8b60111b6e8b011c5c4960e0129551c743f5cd30)
- testing-20240311
(0746d89c588160d0470beaae7a55e38305ede06cb5717d132bd6a795610234d8)
- sid-20240311-slim
(94596b0770714bac6e8adef7e1d3dbc16245ad2978f94006587e44850343cb88)
- sid-20240311 (0aff2113f50451631f0f8c22d85c97aad855d73545b6018fcbe9f0a78ae26583)

All images contain the same backdoor sample:
https://www.virustotal.com/gui/file/319feb5a9cddd81955d915b5632b4a5f8f9080281fb46e2f6d69d53f693c23ae

Thanks,
Takahiro