From https://tukaani.org/xz/threaded-decoder-early-free.html: """ In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash (CVE-2025-31115). The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a patch is available that applies to all affected releases: xz-cve-2025-31115.patch — signature The single-threaded .xz decoder (lzma_stream_decoder) isn’t affected. The commands xz --decompress --threads=1 and xzdec use the single-threaded decoder. """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c015a04fb35f5dc82c0a45d2b1a5b2bf57b3c6f3 commit c015a04fb35f5dc82c0a45d2b1a5b2bf57b3c6f3 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-04-03 15:25:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-03 15:26:01 +0000 app-arch/xz-utils: add 5.6.4-r1 (patch CVE-2025-31115) Bug: https://bugs.gentoo.org/953086 Signed-off-by: Sam James <sam@gentoo.org> app-arch/xz-utils/Manifest | 2 + app-arch/xz-utils/xz-utils-5.6.4-r1.ebuild | 205 +++++++++++++++++++++++++++++ 2 files changed, 207 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=027213a0b0d9986bd95dcc4d0a86184ab372f784 commit 027213a0b0d9986bd95dcc4d0a86184ab372f784 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-04-03 15:19:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-03 15:26:00 +0000 app-arch/xz-utils: add 5.8.1 Bug: https://bugs.gentoo.org/953086 Signed-off-by: Sam James <sam@gentoo.org> app-arch/xz-utils/Manifest | 2 + app-arch/xz-utils/xz-utils-5.8.1.ebuild | 199 ++++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=da2df533a0a1b5799029686bc64ece18ac31947e commit da2df533a0a1b5799029686bc64ece18ac31947e Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2025-04-05 00:42:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-05 00:42:51 +0000 [ GLSA 202504-01 ] XZ Utils: Use after free Bug: https://bugs.gentoo.org/953086 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> glsa-202504-01.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=03dcb0bdfaab8a6429dd6ab4fa75a685e7e2bfa7 commit 03dcb0bdfaab8a6429dd6ab4fa75a685e7e2bfa7 Author: Sam James <sam@gentoo.org> AuthorDate: 2025-04-05 00:43:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2025-04-05 00:43:37 +0000 app-arch/xz-utils: drop 5.6.4, 5.8.0 Bug: https://bugs.gentoo.org/953086 Signed-off-by: Sam James <sam@gentoo.org> app-arch/xz-utils/Manifest | 2 - app-arch/xz-utils/xz-utils-5.6.4.ebuild | 199 -------------------------------- app-arch/xz-utils/xz-utils-5.8.0.ebuild | 199 -------------------------------- 3 files changed, 400 deletions(-)
All done.
