Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87o6k3274y.fsf@gentoo.org>
Date: Tue, 31 Mar 2026 19:20:13 +0100
From: Sam James <sam@...too.org>
To: oss-security@...ts.openwall.com
Cc: xz@...aani.org
Subject: Fwd: XZ Utils 5.8.3 and a security fix

Hi,

We've released a new xz version with some minor security fixes. It's not
believed that any application is actually vulnerable to the main one,
nor the other. It requires an unusual use of a rarely called API.

-------------------- Start of forwarded message --------------------
Date: Tue, 31 Mar 2026 19:58:29 +0300
From: Lasse Collin <lasse.collin@...aani.org>
To: xz-announce@...aani.org
Subject: XZ Utils 5.8.3 and a security fix

In XZ Utils 5.8.2 and older, a buffer overflow can occur in
lzma_index_append() under conditions that likely don't exist in any
real-world application (CVE-2026-34743). No new 5.2.x, 5.4.x, or 5.6.x
releases will be made, but the fix is in the v5.2, v5.4, and v5.6
branches in the xz Git repository. For details, see the NEWS entry
below or the security advisory:

    https://tukaani.org/xz/index-append-overflow.html

XZ Utils 5.8.3 is available at <https://tukaani.org/xz/#_stable>.

5.8.3 (2026-03-31)

    * liblzma:

        - Fix a buffer overflow in lzma_index_append(): If
          lzma_index_decoder() was used to decode an Index that
          contained no Records, the resulting lzma_index was left in
          a state where where a subsequent lzma_index_append() would
          allocate too little memory, and a buffer overflow would occur.

          The lzma_index functions are rarely used by applications
          directly. In the few applications that do use these functions,
          the combination of function calls required to trigger this bug
          are unlikely to exist, because there typically is no reason to
          append Records to a decoded lzma_index. Thus, it's likely that
          this bug cannot be triggered in any real-world application.

          The bug was reported and discovered by Cantina using their
          AppSec agent, Apex.

        - Fix the build on Windows ARM64EC.

        - Add "License: 0BSD" to liblzma.pc.

    * xz:

        - Fix invalid memory access in --files and --files0. All of
          the following must be true to trigger it:

            1. A string being read (which supposedly is a filename) is
               at least SIZE_MAX / 2 bytes long. This size is plausible
               on 32-bit platforms (2 GiB - 1 B).

            2. realloc(ptr, SIZE_MAX / 2 + 1) must succeed.
               On glibc >= 2.30 it shouldn't because the value
               exceeds PTRDIFF_MAX.

            3. An integer overflow results in a realloc(ptr, 0) call.
               If it doesn't return NULL, then invalid memory access
               will occur.

        - On QNX, don't use fsync() on directories because it fails.

    * Autotools: Enable 32-bit x86 assembler on Hurd by default.
      It was already enabled in the CMake-based build.

    * Translations: Add Arabic man page translations.

-- 
Lasse Collin

-------------------- End of forwarded message --------------------

Download attachment "signature.asc" of type "application/pgp-signature" (419 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.