[OE-core][scarthgap][PATCH] xz: Fix CVE-2026-34743

Wed, 20 May 2026 03:09:13 -0700 

From: "Hugo SIMELIERE (Schneider Electric)" <[email protected]>

Pick patch from [1] as 5.4.x upstream backport of [2] mentioned in Debian 
report in [3].

[1] 
https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32
[2] 
https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87
[3] https://security-tracker.debian.org/tracker/CVE-2026-34743

Signed-off-by: Hugo SIMELIERE (Schneider Electric) 
<[email protected]>
Reviewed-by: Bruno VERNAY <[email protected]>
---
 .../xz/xz/CVE-2026-34743.patch                | 68 +++++++++++++++++++
 meta/recipes-extended/xz/xz_5.4.7.bb          |  1 +
 2 files changed, 69 insertions(+)
 create mode 100644 meta/recipes-extended/xz/xz/CVE-2026-34743.patch

diff --git a/meta/recipes-extended/xz/xz/CVE-2026-34743.patch 
b/meta/recipes-extended/xz/xz/CVE-2026-34743.patch
new file mode 100644
index 0000000000..f890851cb2
--- /dev/null
+++ b/meta/recipes-extended/xz/xz/CVE-2026-34743.patch
@@ -0,0 +1,68 @@
+From ae7abca7c721c73bb4aadf41a82a720a842a4364 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <[email protected]>
+Date: Sun, 29 Mar 2026 19:11:21 +0300
+Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append()
+
+If lzma_index_decoder() was used to decode an Index that contained no
+Records, the resulting lzma_index had an invalid internal "prealloc"
+value. If lzma_index_append() was called on this lzma_index, too
+little memory would be allocated and a buffer overflow would occur.
+
+While this combination of the API functions is meant to work, in the
+real-world apps this call sequence is rare or might not exist at all.
+
+This bug is older than xz 5.0.0, so all stable releases are affected.
+
+CVE: CVE-2026-34743
+Upstream-Status: Backport 
[https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32]
+
+Reported-by: GitHub user christos-spearbit
+(cherry picked from commit c8c22869e780ff57c96b46939c3d79ff99395f87)
+(cherry picked from commit 8538443d08591693a8c61f3a03656650f39c7c32)
+Signed-off-by: Hugo SIMELIERE (Schneider Electric) 
<[email protected]>
+---
+ src/liblzma/common/index.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
+index 8a35f439..dae7cab5 100644
+--- a/src/liblzma/common/index.c
++++ b/src/liblzma/common/index.c
+@@ -434,6 +434,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records)
+       if (records > PREALLOC_MAX)
+               records = PREALLOC_MAX;
+ 
++      // If index_decoder.c calls us with records == 0, it's decoding
++      // an Index that has no Records. In that case the decoder won't call
++      // lzma_index_append() at all, and i->prealloc isn't used during
++      // the Index decoding either.
++      //
++      // Normally the first lzma_index_append() call from the Index decoder
++      // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records,
++      // lzma_index_append() isn't called and the resetting of prealloc
++      // won't occur either. Thus, if records == 0, use the default value
++      // INDEX_GROUP_SIZE instead.
++      //
++      // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2
++      // didn't have this check and could set i->prealloc = 0, which would
++      // result in a buffer overflow if the application called
++      // lzma_index_append() after decoding an empty Index. Appending
++      // Records after decoding an Index is a rare thing to do, but
++      // it is supposed to work.
++      if (records == 0)
++              records = INDEX_GROUP_SIZE;
++
+       i->prealloc = (size_t)(records);
+       return;
+ }
+@@ -686,6 +706,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator 
*allocator,
+               ++g->last;
+       } else {
+               // We need to allocate a new group.
++              assert(i->prealloc > 0);
+               g = lzma_alloc(sizeof(index_group)
+                               + i->prealloc * sizeof(index_record),
+                               allocator);
+-- 
+2.43.0
+
diff --git a/meta/recipes-extended/xz/xz_5.4.7.bb 
b/meta/recipes-extended/xz/xz_5.4.7.bb
index 30a4c8e88c..72759edea0 100644
--- a/meta/recipes-extended/xz/xz_5.4.7.bb
+++ b/meta/recipes-extended/xz/xz_5.4.7.bb
@@ -30,6 +30,7 @@ SRC_URI = 
"https://github.com/tukaani-project/xz/releases/download/v${PV}/xz-${P
            file://CVE-2025-31115-02.patch \
            file://CVE-2025-31115-03.patch \
            file://CVE-2025-31115-04.patch \
+           file://CVE-2026-34743.patch \
           "
 SRC_URI[sha256sum] = 
"8db6664c48ca07908b92baedcfe7f3ba23f49ef2476864518ab5db6723836e71"
 UPSTREAM_CHECK_REGEX = "releases/tag/v(?P<pver>\d+(\.\d+)+)"
-- 
2.43.0


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#237441): 
https://lists.openembedded.org/g/openembedded-core/message/237441
Mute This Topic: https://lists.openembedded.org/mt/119405472/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to