Skip to content

update: xz-utils #1709

New issue
New issue
Closed
flatcar/scripts
#2807
Closed
update: xz-utils#1709
flatcar/scripts
#2807
Labels
advisorysecurity advisorycvss/HIGH> 7 && < 9 assessed CVSSsecuritysecurity concerns
@dongsupark

Description

@dongsupark
dongsupark
opened on Apr 4, 2025

Name: xz-utils
CVEs: CVE-2025-31115
CVSSs: 8.7
Action Needed: update to >= 5.6.4-r1

Summary: XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

refmap.gentoo: https://bugs.gentoo.org/953086

Metadata

Metadata

Assignees

No one assigned

    Labels

    advisorysecurity advisorycvss/HIGH> 7 && < 9 assessed CVSSsecuritysecurity concerns

    Type

    No type

    Projects

    Flatcar tactical, release planning, and roadmap

    Status

    Implemented

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions