Change History (7)
comment:1 by , 2 months ago
comment:3 by , 2 months ago
I don't think I would either, but I've been bitten by this bug. When I create a qemu image of a build I xz compress it and decompress it on a test system. I was getting crashes in xz when decompressing the image. I thought it may have been because of a flaky USB stick or something but this does explain it.
comment:4 by , 8 weeks ago
XZ Utils Release Notes
5.8.1 (2025-04-03)
IMPORTANT: This includes a security fix for CVE-2025-31115 which affects XZ Utils from 5.3.3alpha to 5.8.0. No new 5.4.x or 5.6.x releases will be made, but the fix is in the v5.4 and v5.6 branches in the xz Git repository. A standalone patch for all affected versions is available as well.
- Multithreaded .xz decoder (lzma_stream_decoder_mt()):
- Fix a bug that could at least result in a crash with invalid input. (CVE-2025-31115)
- Fix a performance bug: Only one thread was used if the whole input file was provided at once to lzma_code(), the output buffer was big enough, timeout was disabled, and LZMA_FINISH was used. There are no bug reports about this, thus it's possible that no real-world application was affected.
- Avoid <stdalign.h> even with C11/C17 compilers. This fixes the build with Oracle Developer Studio 12.6 on Solaris 10 when the compiler is in C11 mode (the header doesn't exist).
- Autotools: Restore compatibility with GNU make versions older than 4.0 by creating the package using GNU gettext 0.23.1 infrastructure instead of 0.24.
- Update Croatian translation.
comment:5 by , 8 weeks ago
| Priority: | normal → high |
|---|
Note:
See TracTickets
for help on using tickets.
This update fixes CVE-2025-31115.
https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2