Your message dated Sat, 11 Jul 2026 10:32:49 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1141258,
regarding trixie-pu: package xz-utils/5.8.1-1+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1141258: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141258
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:xz-utils
User: [email protected]
Usertags: pu
* CVE-2026-34743: Buffer overflow in lzma_index_append()
(Closes: #1132497)
diffstat for xz-utils-5.8.1 xz-utils-5.8.1
changelog | 8 +
patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch | 62
++++++++++
patches/series | 1
3 files changed, 71 insertions(+)
diff -Nru xz-utils-5.8.1/debian/changelog xz-utils-5.8.1/debian/changelog
--- xz-utils-5.8.1/debian/changelog 2025-04-04 00:02:58.000000000 +0300
+++ xz-utils-5.8.1/debian/changelog 2026-07-01 22:00:37.000000000 +0300
@@ -1,3 +1,11 @@
+xz-utils (5.8.1-1+deb13u1) trixie; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2026-34743: Buffer overflow in lzma_index_append()
+ (Closes: #1132497)
+
+ -- Adrian Bunk <[email protected]> Wed, 01 Jul 2026 22:00:37 +0300
+
xz-utils (5.8.1-1) unstable; urgency=medium
* Import 5.8.1
diff -Nru
xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
---
xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
1970-01-01 02:00:00.000000000 +0200
+++
xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
2026-07-01 22:00:13.000000000 +0300
@@ -0,0 +1,62 @@
+From ec8eb76979750630211ddbda41c7c64dac36d73d Mon Sep 17 00:00:00 2001
+From: Lasse Collin <[email protected]>
+Date: Sun, 29 Mar 2026 19:11:21 +0300
+Subject: liblzma: Fix a buffer overflow in lzma_index_append()
+
+If lzma_index_decoder() was used to decode an Index that contained no
+Records, the resulting lzma_index had an invalid internal "prealloc"
+value. If lzma_index_append() was called on this lzma_index, too
+little memory would be allocated and a buffer overflow would occur.
+
+While this combination of the API functions is meant to work, in the
+real-world apps this call sequence is rare or might not exist at all.
+
+This bug is older than xz 5.0.0, so all stable releases are affected.
+
+Reported-by: GitHub user christos-spearbit
+---
+ src/liblzma/common/index.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
+index 6add6a68..c4aadb9b 100644
+--- a/src/liblzma/common/index.c
++++ b/src/liblzma/common/index.c
+@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records)
+ if (records > PREALLOC_MAX)
+ records = PREALLOC_MAX;
+
++ // If index_decoder.c calls us with records == 0, it's decoding
++ // an Index that has no Records. In that case the decoder won't call
++ // lzma_index_append() at all, and i->prealloc isn't used during
++ // the Index decoding either.
++ //
++ // Normally the first lzma_index_append() call from the Index decoder
++ // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records,
++ // lzma_index_append() isn't called and the resetting of prealloc
++ // won't occur either. Thus, if records == 0, use the default value
++ // INDEX_GROUP_SIZE instead.
++ //
++ // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2
++ // didn't have this check and could set i->prealloc = 0, which would
++ // result in a buffer overflow if the application called
++ // lzma_index_append() after decoding an empty Index. Appending
++ // Records after decoding an Index is a rare thing to do, but
++ // it is supposed to work.
++ if (records == 0)
++ records = INDEX_GROUP_SIZE;
++
+ i->prealloc = (size_t)(records);
+ return;
+ }
+@@ -685,6 +705,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator
*allocator,
+ ++g->last;
+ } else {
+ // We need to allocate a new group.
++ assert(i->prealloc > 0);
+ g = lzma_alloc(sizeof(index_group)
+ + i->prealloc * sizeof(index_record),
+ allocator);
+--
+2.47.3
+
diff -Nru xz-utils-5.8.1/debian/patches/series
xz-utils-5.8.1/debian/patches/series
--- xz-utils-5.8.1/debian/patches/series 1970-01-01 02:00:00.000000000
+0200
+++ xz-utils-5.8.1/debian/patches/series 2026-07-01 22:00:37.000000000
+0300
@@ -0,0 +1 @@
+0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
--- End Message ---
--- Begin Message ---
Version: 13.6
This update was released as part of 13.6.
--- End Message ---