Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:xz-utils
User: [email protected]
Usertags: pu

  * CVE-2026-34743: Buffer overflow in lzma_index_append()
    (Closes: #1132497)
diffstat for xz-utils-5.8.1 xz-utils-5.8.1

 changelog                                                             |    8 +
 patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch |   62 
++++++++++
 patches/series                                                        |    1 
 3 files changed, 71 insertions(+)

diff -Nru xz-utils-5.8.1/debian/changelog xz-utils-5.8.1/debian/changelog
--- xz-utils-5.8.1/debian/changelog     2025-04-04 00:02:58.000000000 +0300
+++ xz-utils-5.8.1/debian/changelog     2026-07-01 22:00:37.000000000 +0300
@@ -1,3 +1,11 @@
+xz-utils (5.8.1-1+deb13u1) trixie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2026-34743: Buffer overflow in lzma_index_append()
+    (Closes: #1132497)
+
+ -- Adrian Bunk <[email protected]>  Wed, 01 Jul 2026 22:00:37 +0300
+
 xz-utils (5.8.1-1) unstable; urgency=medium
 
   * Import 5.8.1
diff -Nru 
xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
 
xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
--- 
xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
 1970-01-01 02:00:00.000000000 +0200
+++ 
xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch
 2026-07-01 22:00:13.000000000 +0300
@@ -0,0 +1,62 @@
+From ec8eb76979750630211ddbda41c7c64dac36d73d Mon Sep 17 00:00:00 2001
+From: Lasse Collin <[email protected]>
+Date: Sun, 29 Mar 2026 19:11:21 +0300
+Subject: liblzma: Fix a buffer overflow in lzma_index_append()
+
+If lzma_index_decoder() was used to decode an Index that contained no
+Records, the resulting lzma_index had an invalid internal "prealloc"
+value. If lzma_index_append() was called on this lzma_index, too
+little memory would be allocated and a buffer overflow would occur.
+
+While this combination of the API functions is meant to work, in the
+real-world apps this call sequence is rare or might not exist at all.
+
+This bug is older than xz 5.0.0, so all stable releases are affected.
+
+Reported-by: GitHub user christos-spearbit
+---
+ src/liblzma/common/index.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
+index 6add6a68..c4aadb9b 100644
+--- a/src/liblzma/common/index.c
++++ b/src/liblzma/common/index.c
+@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records)
+       if (records > PREALLOC_MAX)
+               records = PREALLOC_MAX;
+ 
++      // If index_decoder.c calls us with records == 0, it's decoding
++      // an Index that has no Records. In that case the decoder won't call
++      // lzma_index_append() at all, and i->prealloc isn't used during
++      // the Index decoding either.
++      //
++      // Normally the first lzma_index_append() call from the Index decoder
++      // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records,
++      // lzma_index_append() isn't called and the resetting of prealloc
++      // won't occur either. Thus, if records == 0, use the default value
++      // INDEX_GROUP_SIZE instead.
++      //
++      // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2
++      // didn't have this check and could set i->prealloc = 0, which would
++      // result in a buffer overflow if the application called
++      // lzma_index_append() after decoding an empty Index. Appending
++      // Records after decoding an Index is a rare thing to do, but
++      // it is supposed to work.
++      if (records == 0)
++              records = INDEX_GROUP_SIZE;
++
+       i->prealloc = (size_t)(records);
+       return;
+ }
+@@ -685,6 +705,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator 
*allocator,
+               ++g->last;
+       } else {
+               // We need to allocate a new group.
++              assert(i->prealloc > 0);
+               g = lzma_alloc(sizeof(index_group)
+                               + i->prealloc * sizeof(index_record),
+                               allocator);
+-- 
+2.47.3
+
diff -Nru xz-utils-5.8.1/debian/patches/series 
xz-utils-5.8.1/debian/patches/series
--- xz-utils-5.8.1/debian/patches/series        1970-01-01 02:00:00.000000000 
+0200
+++ xz-utils-5.8.1/debian/patches/series        2026-07-01 22:00:37.000000000 
+0300
@@ -0,0 +1 @@
+0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch

Reply via email to