Source: golang-github-ulikunitz-xz Version: 0.5.6-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-github-ulikunitz-xz. CVE-2025-58058[0]: | xz is a pure golang package for reading and writing xz-compressed | files. Prior to version 0.5.14, it is possible to put data in front | of an LZMA-encoded byte stream without detecting the situation while | reading the header. This can lead to increased memory consumption | because the current implementation allocates the full decoding | buffer directly after reading the header. The LZMA header doesn't | include a magic number or has a checksum to detect such an issue | according to the specification. Note that the code recognizes the | issue later while reading the stream, but at this time the memory | allocation has already been done. This issue has been patched in | version 0.5.14. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-58058 https://www.cve.org/CVERecord?id=CVE-2025-58058 [1] https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9 [2] https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2 Regards, Salvatore
