Your message dated Sun, 15 Feb 2026 19:50:01 +0000
with message-id <[email protected]>
and subject line Bug#1128070: fixed in lrzip 0.660-1
has caused the Debian Bug report #1128070,
regarding lrzip: CVE-2025-15571
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128070: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128070
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: lrzip
Version: 0.651-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/ckolivas/lrzip/issues/263
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for lrzip.
CVE-2025-15571[0]:
| A security vulnerability has been detected in ckolivas lrzip up to
| 0.651. This vulnerability affects the function ucompthread of the
| file stream.c. Such manipulation leads to null pointer dereference.
| The attack can only be performed from a local environment. The
| exploit has been disclosed publicly and may be used. The project was
| informed of the problem early through an issue report but has not
| responded yet.
Note, it is said to be fixed in latest git, but no commit provided,
cf. [2], so needs to be pinpointed.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-15571
https://www.cve.org/CVERecord?id=CVE-2025-15571
[1] https://github.com/ckolivas/lrzip/issues/263
[2] https://github.com/ckolivas/lrzip/issues/263#issuecomment-3894132137
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: lrzip
Source-Version: 0.660-1
Done: Laszlo Boszormenyi (GCS) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
lrzip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <[email protected]> (supplier of updated lrzip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 15 Feb 2026 20:09:34 +0100
Source: lrzip
Architecture: source
Version: 0.660-1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[email protected]>
Changed-By: Laszlo Boszormenyi (GCS) <[email protected]>
Closes: 1128069 1128070
Changes:
lrzip (0.660-1) unstable; urgency=high
.
* New upstream release:
- fixes CVE-2025-15570: use after free in lzma_decompress_buf()
(closes: #1128069),
- fixes CVE-2025-15571: NULL pointer dereference in ucompthread()
(closes: #1128070).
* Remove now redundant Rules-Requires-Root value.
* Refer online version of Free Software Foundation licence.
* Update Standards-Version to 4.7.2 .
Checksums-Sha1:
a8d03a791ea9e3de1e52341c65a921d2b56b90a8 1781 lrzip_0.660-1.dsc
eac5820032e82a863208e9eb7d150d4ed08cfd4c 227127 lrzip_0.660.orig.tar.gz
93589375ce5fb4d3d26cbe07c9bda4da9c8e057c 8284 lrzip_0.660-1.debian.tar.xz
Checksums-Sha256:
85dc3fc09bc397f8bacb7ba4de321228a562c483820d852842fc6503d2cb1001 1781
lrzip_0.660-1.dsc
fd2cb18fc166e565a23f3415306d71a0f9151e0f1d7016d9a2c7eb038cd3c159 227127
lrzip_0.660.orig.tar.gz
a1e025ff35bbec280b01f9c97147b29092063e1be9cde70f3e83d5d26ef4cdcf 8284
lrzip_0.660-1.debian.tar.xz
Files:
cd726f6635c27dd5db86019a83c190e8 1781 utils optional lrzip_0.660-1.dsc
b4163b9bb9ed03d5cb858cdbe465f793 227127 utils optional lrzip_0.660.orig.tar.gz
6ff7511590974195a254d0dd9d82fe63 8284 utils optional
lrzip_0.660-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAmmSIJ4ACgkQ3OMQ54ZM
yL8UBRAAtywM8C4cxZdxyDT+1cdw49qyKgOLvRWosuj1T4qQczPWmuNfO4fonRfo
BojTQBG5GIPy56kSBwsD20wAT6BVnosA1xMI6tTgoT5y4bY3Vb/VXVlYjXlXbMKN
7kROXm1MIu4R14zA5rKPjxAgB2CIFyHS24zi2GAmYt9NN1G5rWGNdBEDCS1iK1+1
/+krmSkYMisRXzk8bVnQRKk9VTXB6XV+cx3mPX2jS4+MAVkWt78Y1skTKQ6jNWcj
tRbb+E09h4YAaNiXV55JQZuBf8vt1JOO1+z+6PtWy7zKixUziT8RoKWTEC4zv4d6
zqBXFSgWrJSkw2qCQibH2ZenA16yO1IcEV5khAcwuW9838wqGVwaizWnLQ0AfCQa
S3DAopNXwsOB54W9cBLmwautZxhUvvRm5/Lbzu6FRe0N/Gr2JhUk34kUoI8VPZ7W
gKZyD3s8or81E4zRrgMiFTwcBK5aeiNGpB0XgL9qEO26YkrKWxJXUHzcR0G8s1NM
Y+RvvAXrr4VMSTNT8DU2n8KYtn6lE6Zw41LcuOKK8a0ZDLyo2KUgo1x9VGH983sh
JmLE3y8a6A0Frf8mE3YJILka9tofeCa5jCzT5Rp4WD8Czoib/d+rP9i3tiev6y0J
jbzKetgvli/8ypEwUrl4ZNWBmxJ/eyyWYgLBwSb1fYk9uoAytwg=
=9Kjf
-----END PGP SIGNATURE-----
pgpn2NV1qnVkg.pgp
Description: PGP signature
--- End Message ---
