In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in
liblzma has a bug where invalid input can at least result in a crash
(CVE-2025-31115). The bug has been fixed in XZ Utils 5.8.1, and the fix
has been committed to the v5.4, v5.6, v5.8, and master branches in the
xz Git repository. No new release packages will be made from the old
stable branches, but a patch is available that applies to all affected
releases. See the advisory for more information:
https://tukaani.org/xz/threaded-decoder-early-free.html
XZ Utils 5.8.1 is available at <https://tukaani.org/xz/#_stable>.
5.8.1 (2025-04-03)
* Multithreaded .xz decoder (lzma_stream_decoder_mt()):
- Fix a bug that could at least result in a crash with
invalid input. (CVE-2025-31115)
- Fix a performance bug: Only one thread was used if the whole
input file was provided at once to lzma_code(), the output
buffer was big enough, timeout was disabled, and LZMA_FINISH
was used. There are no bug reports about this, thus it's
possible that no real-world application was affected.
* Avoid <stdalign.h> even with C11/C17 compilers. This fixes the
build with Oracle Developer Studio 12.6 on Solaris 10 when the
compiler is in C11 mode (the header doesn't exist).
* Autotools: Restore compatibility with GNU make versions older
than 4.0 by creating the package using GNU gettext 0.23.1
infrastructure instead of 0.24.
* Update Croatian translation.
--
Lasse Collin
