Your message dated Mon, 01 Sep 2025 13:49:36 +0000
with message-id <[email protected]>
and subject line Bug#1112508: fixed in golang-github-ulikunitz-xz 0.5.15-1
has caused the Debian Bug report #1112508,
regarding golang-github-ulikunitz-xz: CVE-2025-58058
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112508: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112508
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: golang-github-ulikunitz-xz
Version: 0.5.6-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for golang-github-ulikunitz-xz.
CVE-2025-58058[0]:
| xz is a pure golang package for reading and writing xz-compressed
| files. Prior to version 0.5.14, it is possible to put data in front
| of an LZMA-encoded byte stream without detecting the situation while
| reading the header. This can lead to increased memory consumption
| because the current implementation allocates the full decoding
| buffer directly after reading the header. The LZMA header doesn't
| include a magic number or has a checksum to detect such an issue
| according to the specification. Note that the code recognizes the
| issue later while reading the stream, but at this time the memory
| allocation has already been done. This issue has been patched in
| version 0.5.14.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58058
https://www.cve.org/CVERecord?id=CVE-2025-58058
[1] https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9
[2]
https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: golang-github-ulikunitz-xz
Source-Version: 0.5.15-1
Done: Dylan Aïssi <[email protected]>
We believe that the bug you reported is fixed in the latest version of
golang-github-ulikunitz-xz, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dylan Aïssi <[email protected]> (supplier of updated golang-github-ulikunitz-xz
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 01 Sep 2025 15:21:39 +0200
Source: golang-github-ulikunitz-xz
Architecture: source
Version: 0.5.15-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Dylan Aïssi <[email protected]>
Closes: 1112508
Changes:
golang-github-ulikunitz-xz (0.5.15-1) unstable; urgency=medium
.
* Team upload.
* New upstream release: 0.5.15
- Fix CVE-2025-58058 (Closes: #1112508)
* Upload to unstable.
Checksums-Sha1:
f1358dde40f0c1956b3b009c0ca2df7ad11698f1 2253
golang-github-ulikunitz-xz_0.5.15-1.dsc
2ebe1660b20a9341c0331816e51434499a64c1a3 4179122
golang-github-ulikunitz-xz_0.5.15.orig.tar.gz
b04af1ec78b375241701c7d88ede672d1ac9bd2c 2928
golang-github-ulikunitz-xz_0.5.15-1.debian.tar.xz
5e83ee65b0d79bb66ad5d9d05d75244f5eb380f2 5917
golang-github-ulikunitz-xz_0.5.15-1_amd64.buildinfo
Checksums-Sha256:
593606a601c1692ffbe3601e7cfd3477902a0e5a12b5c8b30d2e744943270859 2253
golang-github-ulikunitz-xz_0.5.15-1.dsc
d75d8560d25ac1d9729769e084134e047565ea9f5f908175eddb4372a7687505 4179122
golang-github-ulikunitz-xz_0.5.15.orig.tar.gz
a9845326ecf553c1663fb7a5145694d390562b0279c888c244e85fda4507c9c2 2928
golang-github-ulikunitz-xz_0.5.15-1.debian.tar.xz
d41224b8badb3a0d22da8534cb1221117c351dcb3d597771f37d7bdfd4a79aa2 5917
golang-github-ulikunitz-xz_0.5.15-1_amd64.buildinfo
Files:
3a80160ff5da5084b7f9d364a812691d 2253 devel optional
golang-github-ulikunitz-xz_0.5.15-1.dsc
ed9feeaddc779b3a8492d69e6504e027 4179122 devel optional
golang-github-ulikunitz-xz_0.5.15.orig.tar.gz
60bcd9b505c4be160b8afd711c76c4bc 2928 devel optional
golang-github-ulikunitz-xz_0.5.15-1.debian.tar.xz
958b664d84afbff04c958becfc48a239 5917 devel optional
golang-github-ulikunitz-xz_0.5.15-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEmjwHvQbeL0FugTpdYS7xYT4FD1QFAmi1oMoACgkQYS7xYT4F
D1SK+BAAnVCuwlHN2TNxX4Nv+bnF5ZFO3gDSdADKDTiBJKCSmJAxxMBKYkwlunCv
BKypQr4zTmmJ5xefR6tTCi6oTDNfClR34XqoK2w++yOh59ok2cJH6NDeoQc1Wlg2
n45Yz3UZLL1bQSFHYThrZrPiLI8MtmBi2nrr0ysTOdOUi7HIsLxrmHaWYp6al312
WxjVFMu7Ve40iChiwKK10OgPWAD54WFeMNodfr0UaktbyPU9OGFZy57PLygJix8t
g1Yze/DiQHOD+0ynV04qK2cpIPbYLWsdb/7HodBzXOvUjWchjSbuKK1l9JQKsEbd
sKZwiVX3uw98qnArbNCmGfiS+BndBzMZOy6aObzh4AflhIxdrrxHOjp93B9Tu5b8
q8PbGx93gbZfy8igFbS0qjzDkqkbZxoKhklKDw6eL1vbcqGCLO978oShU00iE1Fb
UjHnXW31OUSmsvSQ9JOuXta13f183+cSvyvu9+2QZ7KkyqYtBIWCyPwkO3C4M9+D
3/Ugc9DA40u/Qfw51uOZ/OXEJPjCkVOhbfD97+tDa2LWP5C8w+kITAOu0nx6i82a
FFszTDD6+IyGXa3zOyJkr1/XWY5rIIdiwDto7ZN4xWEJtpvNOELYkHLEAhcv7uKD
uBEf5GlnD2RSIWLpGybDa/s945rD3evGH+OTSkhlB++RdydNRDc=
=8ymp
-----END PGP SIGNATURE-----
pgp5Ntq7_UYUl.pgp
Description: PGP signature
--- End Message ---
