From bbe2fdae46aa0770b02d2898cc1005c4e99009f4 Mon Sep 17 00:00:00 2001
From: Azure Linux Security Servicing Account
 <azurelinux-security@microsoft.com>
Date: Tue, 7 Apr 2026 16:27:14 +0000
Subject: [PATCH 1/2] Patch xz for CVE-2026-34743

---
 SPECS/xz/CVE-2026-34743.patch                 | 65 +++++++++++++++++++
 SPECS/xz/xz.spec                              |  7 +-
 .../manifests/package/pkggen_core_aarch64.txt |  8 +--
 .../manifests/package/pkggen_core_x86_64.txt  |  8 +--
 .../manifests/package/toolchain_aarch64.txt   | 10 +--
 .../manifests/package/toolchain_x86_64.txt    | 10 +--
 6 files changed, 89 insertions(+), 19 deletions(-)
 create mode 100644 SPECS/xz/CVE-2026-34743.patch

diff --git a/SPECS/xz/CVE-2026-34743.patch b/SPECS/xz/CVE-2026-34743.patch
new file mode 100644
index 00000000000..aaff761551c
--- /dev/null
+++ b/SPECS/xz/CVE-2026-34743.patch
@@ -0,0 +1,65 @@
+From afad21b3b9c9089f1b1634bd2dcf57764b1e5bf5 Mon Sep 17 00:00:00 2001
+From: Lasse Collin <lasse.collin@tukaani.org>
+Date: Sun, 29 Mar 2026 19:11:21 +0300
+Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append()
+
+If lzma_index_decoder() was used to decode an Index that contained no
+Records, the resulting lzma_index had an invalid internal "prealloc"
+value. If lzma_index_append() was called on this lzma_index, too
+little memory would be allocated and a buffer overflow would occur.
+
+While this combination of the API functions is meant to work, in the
+real-world apps this call sequence is rare or might not exist at all.
+
+This bug is older than xz 5.0.0, so all stable releases are affected.
+
+Reported-by: GitHub user christos-spearbit
+(cherry picked from commit c8c22869e780ff57c96b46939c3d79ff99395f87)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32.patch
+---
+ src/liblzma/common/index.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
+index a41e8f3..f1629b1 100644
+--- a/src/liblzma/common/index.c
++++ b/src/liblzma/common/index.c
+@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records)
+ 	if (records > PREALLOC_MAX)
+ 		records = PREALLOC_MAX;
+ 
++	// If index_decoder.c calls us with records == 0, it's decoding
++	// an Index that has no Records. In that case the decoder won't call
++	// lzma_index_append() at all, and i->prealloc isn't used during
++	// the Index decoding either.
++	//
++	// Normally the first lzma_index_append() call from the Index decoder
++	// would reset i->prealloc to INDEX_GROUP_SIZE. With no Records,
++	// lzma_index_append() isn't called and the resetting of prealloc
++	// won't occur either. Thus, if records == 0, use the default value
++	// INDEX_GROUP_SIZE instead.
++	//
++	// NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2
++	// didn't have this check and could set i->prealloc = 0, which would
++	// result in a buffer overflow if the application called
++	// lzma_index_append() after decoding an empty Index. Appending
++	// Records after decoding an Index is a rare thing to do, but
++	// it is supposed to work.
++	if (records == 0)
++		records = INDEX_GROUP_SIZE;
++
+ 	i->prealloc = (size_t)(records);
+ 	return;
+ }
+@@ -675,6 +695,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
+ 		++g->last;
+ 	} else {
+ 		// We need to allocate a new group.
++		assert(i->prealloc > 0);
+ 		g = lzma_alloc(sizeof(index_group)
+ 				+ i->prealloc * sizeof(index_record),
+ 				allocator);
+-- 
+2.45.4
+
diff --git a/SPECS/xz/xz.spec b/SPECS/xz/xz.spec
index 47b04483c6c..4fd1821a60f 100644
--- a/SPECS/xz/xz.spec
+++ b/SPECS/xz/xz.spec
@@ -1,13 +1,14 @@
 Summary:        Programs for compressing and decompressing files
 Name:           xz
 Version:        5.2.5
-Release:        1%{?dist}
+Release:        2%{?dist}
 URL:            https://tukaani.org/xz
 License:        GPLv2+ and GPLv3+ and LGPLv2+
 Group:          Applications/File
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Source0:        https://tukaani.org/xz/%{name}-%{version}.tar.xz
+Patch0:         CVE-2026-34743.patch
 Provides:       xz-lzma-compat = %{version}-%{release}
 Provides:       lzma = %{version}-%{release}
 Requires:       xz-libs = %{version}-%{release}
@@ -37,6 +38,7 @@ This package contains minimal set of shared xz libraries.
 
 %prep
 %setup -q
+%patch 0 -p1
 %build
 ./configure \
     --prefix=%{_prefix} \
@@ -100,6 +102,9 @@ make  %{?_smp_mflags}  check
 %defattr(-,root,root)
 
 %changelog
+*   Tue Apr 07 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 5.2.5-2
+-   Patch for CVE-2026-34743
+
 *   Fri Nov 05 2021 Andrew Phelps <anphel@microsoft.com> 5.2.5-1
 -   Update to version 5.2.5
 -   License verified
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index 8532b63b5f0..15f85400dd5 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -70,10 +70,10 @@ util-linux-2.37.4-10.cm2.aarch64.rpm
 util-linux-devel-2.37.4-10.cm2.aarch64.rpm
 util-linux-libs-2.37.4-10.cm2.aarch64.rpm
 tar-1.34-3.cm2.aarch64.rpm
-xz-5.2.5-1.cm2.aarch64.rpm
-xz-devel-5.2.5-1.cm2.aarch64.rpm
-xz-lang-5.2.5-1.cm2.aarch64.rpm
-xz-libs-5.2.5-1.cm2.aarch64.rpm
+xz-5.2.5-2.cm2.aarch64.rpm
+xz-devel-5.2.5-2.cm2.aarch64.rpm
+xz-lang-5.2.5-2.cm2.aarch64.rpm
+xz-libs-5.2.5-2.cm2.aarch64.rpm
 zstd-1.5.4-1.cm2.aarch64.rpm
 zstd-devel-1.5.4-1.cm2.aarch64.rpm
 zstd-libs-1.5.4-1.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 73a9df4ca3a..95a2365d234 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -70,10 +70,10 @@ util-linux-2.37.4-10.cm2.x86_64.rpm
 util-linux-devel-2.37.4-10.cm2.x86_64.rpm
 util-linux-libs-2.37.4-10.cm2.x86_64.rpm
 tar-1.34-3.cm2.x86_64.rpm
-xz-5.2.5-1.cm2.x86_64.rpm
-xz-devel-5.2.5-1.cm2.x86_64.rpm
-xz-lang-5.2.5-1.cm2.x86_64.rpm
-xz-libs-5.2.5-1.cm2.x86_64.rpm
+xz-5.2.5-2.cm2.x86_64.rpm
+xz-devel-5.2.5-2.cm2.x86_64.rpm
+xz-lang-5.2.5-2.cm2.x86_64.rpm
+xz-libs-5.2.5-2.cm2.x86_64.rpm
 zstd-1.5.4-1.cm2.x86_64.rpm
 zstd-devel-1.5.4-1.cm2.x86_64.rpm
 zstd-libs-1.5.4-1.cm2.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index 814c5ecd113..c2e4eed56d5 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -579,11 +579,11 @@ util-linux-lang-2.37.4-10.cm2.aarch64.rpm
 util-linux-libs-2.37.4-10.cm2.aarch64.rpm
 which-2.21-8.cm2.aarch64.rpm
 which-debuginfo-2.21-8.cm2.aarch64.rpm
-xz-5.2.5-1.cm2.aarch64.rpm
-xz-debuginfo-5.2.5-1.cm2.aarch64.rpm
-xz-devel-5.2.5-1.cm2.aarch64.rpm
-xz-lang-5.2.5-1.cm2.aarch64.rpm
-xz-libs-5.2.5-1.cm2.aarch64.rpm
+xz-5.2.5-2.cm2.aarch64.rpm
+xz-debuginfo-5.2.5-2.cm2.aarch64.rpm
+xz-devel-5.2.5-2.cm2.aarch64.rpm
+xz-lang-5.2.5-2.cm2.aarch64.rpm
+xz-libs-5.2.5-2.cm2.aarch64.rpm
 zip-3.0-5.cm2.aarch64.rpm
 zip-debuginfo-3.0-5.cm2.aarch64.rpm
 zlib-1.2.13-2.cm2.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index 0d153054275..371185e60d2 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -585,11 +585,11 @@ util-linux-lang-2.37.4-10.cm2.x86_64.rpm
 util-linux-libs-2.37.4-10.cm2.x86_64.rpm
 which-2.21-8.cm2.x86_64.rpm
 which-debuginfo-2.21-8.cm2.x86_64.rpm
-xz-5.2.5-1.cm2.x86_64.rpm
-xz-debuginfo-5.2.5-1.cm2.x86_64.rpm
-xz-devel-5.2.5-1.cm2.x86_64.rpm
-xz-lang-5.2.5-1.cm2.x86_64.rpm
-xz-libs-5.2.5-1.cm2.x86_64.rpm
+xz-5.2.5-2.cm2.x86_64.rpm
+xz-debuginfo-5.2.5-2.cm2.x86_64.rpm
+xz-devel-5.2.5-2.cm2.x86_64.rpm
+xz-lang-5.2.5-2.cm2.x86_64.rpm
+xz-libs-5.2.5-2.cm2.x86_64.rpm
 zip-3.0-5.cm2.x86_64.rpm
 zip-debuginfo-3.0-5.cm2.x86_64.rpm
 zlib-1.2.13-2.cm2.x86_64.rpm

From 2b6d1b7102169c55e6966e8c747b466b4dc184ef Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Date: Thu, 9 Apr 2026 13:57:15 +0530
Subject: [PATCH 2/2] Update xz.spec to use %autosetup

Replace %setup with %autosetup for better handling of patches.
---
 SPECS/xz/xz.spec | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/SPECS/xz/xz.spec b/SPECS/xz/xz.spec
index 4fd1821a60f..b29e124cdf6 100644
--- a/SPECS/xz/xz.spec
+++ b/SPECS/xz/xz.spec
@@ -37,8 +37,8 @@ Group:      System Environment/Libraries
 This package contains minimal set of shared xz libraries.
 
 %prep
-%setup -q
-%patch 0 -p1
+%autosetup -p1
+
 %build
 ./configure \
     --prefix=%{_prefix} \