Version in base suite: 5.8.1-1 Base version: xz-utils_5.8.1-1 Target version: xz-utils_5.8.1-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/x/xz-utils/xz-utils_5.8.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/x/xz-utils/xz-utils_5.8.1-1+deb13u1.dsc changelog | 8 + patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch | 62 ++++++++++ patches/series | 1 3 files changed, 71 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp2bc6d2kk/xz-utils_5.8.1-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp2bc6d2kk/xz-utils_5.8.1-1+deb13u1.dsc: no acceptable signature found diff -Nru xz-utils-5.8.1/debian/changelog xz-utils-5.8.1/debian/changelog --- xz-utils-5.8.1/debian/changelog 2025-04-03 21:02:58.000000000 +0000 +++ xz-utils-5.8.1/debian/changelog 2026-07-01 19:00:37.000000000 +0000 @@ -1,3 +1,11 @@ +xz-utils (5.8.1-1+deb13u1) trixie; urgency=medium + + * Non-maintainer upload. + * CVE-2026-34743: Buffer overflow in lzma_index_append() + (Closes: #1132497) + + -- Adrian Bunk Wed, 01 Jul 2026 22:00:37 +0300 + xz-utils (5.8.1-1) unstable; urgency=medium * Import 5.8.1 diff -Nru xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch --- xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch 1970-01-01 00:00:00.000000000 +0000 +++ xz-utils-5.8.1/debian/patches/0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch 2026-07-01 19:00:13.000000000 +0000 @@ -0,0 +1,62 @@ +From ec8eb76979750630211ddbda41c7c64dac36d73d Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Sun, 29 Mar 2026 19:11:21 +0300 +Subject: liblzma: Fix a buffer overflow in lzma_index_append() + +If lzma_index_decoder() was used to decode an Index that contained no +Records, the resulting lzma_index had an invalid internal "prealloc" +value. If lzma_index_append() was called on this lzma_index, too +little memory would be allocated and a buffer overflow would occur. + +While this combination of the API functions is meant to work, in the +real-world apps this call sequence is rare or might not exist at all. + +This bug is older than xz 5.0.0, so all stable releases are affected. + +Reported-by: GitHub user christos-spearbit +--- + src/liblzma/common/index.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c +index 6add6a68..c4aadb9b 100644 +--- a/src/liblzma/common/index.c ++++ b/src/liblzma/common/index.c +@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records) + if (records > PREALLOC_MAX) + records = PREALLOC_MAX; + ++ // If index_decoder.c calls us with records == 0, it's decoding ++ // an Index that has no Records. In that case the decoder won't call ++ // lzma_index_append() at all, and i->prealloc isn't used during ++ // the Index decoding either. ++ // ++ // Normally the first lzma_index_append() call from the Index decoder ++ // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records, ++ // lzma_index_append() isn't called and the resetting of prealloc ++ // won't occur either. Thus, if records == 0, use the default value ++ // INDEX_GROUP_SIZE instead. ++ // ++ // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2 ++ // didn't have this check and could set i->prealloc = 0, which would ++ // result in a buffer overflow if the application called ++ // lzma_index_append() after decoding an empty Index. Appending ++ // Records after decoding an Index is a rare thing to do, but ++ // it is supposed to work. ++ if (records == 0) ++ records = INDEX_GROUP_SIZE; ++ + i->prealloc = (size_t)(records); + return; + } +@@ -685,6 +705,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator, + ++g->last; + } else { + // We need to allocate a new group. ++ assert(i->prealloc > 0); + g = lzma_alloc(sizeof(index_group) + + i->prealloc * sizeof(index_record), + allocator); +-- +2.47.3 + diff -Nru xz-utils-5.8.1/debian/patches/series xz-utils-5.8.1/debian/patches/series --- xz-utils-5.8.1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ xz-utils-5.8.1/debian/patches/series 2026-07-01 19:00:37.000000000 +0000 @@ -0,0 +1 @@ +0001-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch