| Summary: | <app-arch/xz-utils-5.6.4-r1: Threaded .xz decoder frees memory too early | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | base-system |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://tukaani.org/xz/threaded-decoder-early-free.html | ||
| Whiteboard: | A3 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 953088 | ||
| Bug Blocks: | |||
|
Description
Sam James
2025-04-03 15:09:23 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c015a04fb35f5dc82c0a45d2b1a5b2bf57b3c6f3 commit c015a04fb35f5dc82c0a45d2b1a5b2bf57b3c6f3 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-04-03 15:25:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-03 15:26:01 +0000 app-arch/xz-utils: add 5.6.4-r1 (patch CVE-2025-31115) Bug: https://bugs.gentoo.org/953086 Signed-off-by: Sam James <sam@gentoo.org> app-arch/xz-utils/Manifest | 2 + app-arch/xz-utils/xz-utils-5.6.4-r1.ebuild | 205 +++++++++++++++++++++++++++++ 2 files changed, 207 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=027213a0b0d9986bd95dcc4d0a86184ab372f784 commit 027213a0b0d9986bd95dcc4d0a86184ab372f784 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-04-03 15:19:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-03 15:26:00 +0000 app-arch/xz-utils: add 5.8.1 Bug: https://bugs.gentoo.org/953086 Signed-off-by: Sam James <sam@gentoo.org> app-arch/xz-utils/Manifest | 2 + app-arch/xz-utils/xz-utils-5.8.1.ebuild | 199 ++++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=da2df533a0a1b5799029686bc64ece18ac31947e commit da2df533a0a1b5799029686bc64ece18ac31947e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2025-04-05 00:42:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-05 00:42:51 +0000 [ GLSA 202504-01 ] XZ Utils: Use after free Bug: https://bugs.gentoo.org/953086 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202504-01.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03dcb0bdfaab8a6429dd6ab4fa75a685e7e2bfa7 commit 03dcb0bdfaab8a6429dd6ab4fa75a685e7e2bfa7 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-04-05 00:43:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-05 00:43:37 +0000 app-arch/xz-utils: drop 5.6.4, 5.8.0 Bug: https://bugs.gentoo.org/953086 Signed-off-by: Sam James <sam@gentoo.org> app-arch/xz-utils/Manifest | 2 - app-arch/xz-utils/xz-utils-5.6.4.ebuild | 199 -------------------------------- app-arch/xz-utils/xz-utils-5.8.0.ebuild | 199 -------------------------------- 3 files changed, 400 deletions(-) All done. |