Skip to content

[AutoPR- Security] Patch xz for CVE-2026-34743 [LOW] #16498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kgodara912 merged 2 commits into from
Apr 10, 2026
Merged

[AutoPR- Security] Patch xz for CVE-2026-34743 [LOW] #16498

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bbe2fda
Patch xz for CVE-2026-34743
azurelinux-security Apr 7, 2026
2b6d1b7
Update xz.spec to use %autosetup
Kanishk-Bansal Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions SPECS/xz/CVE-2026-34743.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
From afad21b3b9c9089f1b1634bd2dcf57764b1e5bf5 Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Sun, 29 Mar 2026 19:11:21 +0300
Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append()

If lzma_index_decoder() was used to decode an Index that contained no
Records, the resulting lzma_index had an invalid internal "prealloc"
value. If lzma_index_append() was called on this lzma_index, too
little memory would be allocated and a buffer overflow would occur.

While this combination of the API functions is meant to work, in the
real-world apps this call sequence is rare or might not exist at all.

This bug is older than xz 5.0.0, so all stable releases are affected.

Reported-by: GitHub user christos-spearbit
(cherry picked from commit c8c22869e780ff57c96b46939c3d79ff99395f87)
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32.patch
---
src/liblzma/common/index.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)

diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
index a41e8f3..f1629b1 100644
--- a/src/liblzma/common/index.c
+++ b/src/liblzma/common/index.c
@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records)
if (records > PREALLOC_MAX)
records = PREALLOC_MAX;

+ // If index_decoder.c calls us with records == 0, it's decoding
+ // an Index that has no Records. In that case the decoder won't call
+ // lzma_index_append() at all, and i->prealloc isn't used during
+ // the Index decoding either.
+ //
+ // Normally the first lzma_index_append() call from the Index decoder
+ // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records,
+ // lzma_index_append() isn't called and the resetting of prealloc
+ // won't occur either. Thus, if records == 0, use the default value
+ // INDEX_GROUP_SIZE instead.
+ //
+ // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2
+ // didn't have this check and could set i->prealloc = 0, which would
+ // result in a buffer overflow if the application called
+ // lzma_index_append() after decoding an empty Index. Appending
+ // Records after decoding an Index is a rare thing to do, but
+ // it is supposed to work.
+ if (records == 0)
+ records = INDEX_GROUP_SIZE;
+
i->prealloc = (size_t)(records);
return;
}
@@ -675,6 +695,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
++g->last;
} else {
// We need to allocate a new group.
+ assert(i->prealloc > 0);
g = lzma_alloc(sizeof(index_group)
+ i->prealloc * sizeof(index_record),
allocator);
--
2.45.4

9 changes: 7 additions & 2 deletions SPECS/xz/xz.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
Summary: Programs for compressing and decompressing files
Name: xz
Version: 5.2.5
Release: 1%{?dist}
Release: 2%{?dist}
URL: https://tukaani.org/xz
License: GPLv2+ and GPLv3+ and LGPLv2+
Group: Applications/File
Vendor: Microsoft Corporation
Distribution: Mariner
Source0: https://tukaani.org/xz/%{name}-%{version}.tar.xz
Patch0: CVE-2026-34743.patch
Provides: xz-lzma-compat = %{version}-%{release}
Provides: lzma = %{version}-%{release}
Requires: xz-libs = %{version}-%{release}
Expand Down Expand Up @@ -36,7 +37,8 @@ Group: System Environment/Libraries
This package contains minimal set of shared xz libraries.

%prep
%setup -q
%autosetup -p1

%build
./configure \
--prefix=%{_prefix} \
Expand Down Expand Up @@ -100,6 +102,9 @@ make %{?_smp_mflags} check
%defattr(-,root,root)

%changelog
* Tue Apr 07 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 5.2.5-2
- Patch for CVE-2026-34743

* Fri Nov 05 2021 Andrew Phelps <anphel@microsoft.com> 5.2.5-1
- Update to version 5.2.5
- License verified
Expand Down
8 changes: 4 additions & 4 deletions toolkit/resources/manifests/package/pkggen_core_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,10 +70,10 @@ util-linux-2.37.4-10.cm2.aarch64.rpm
util-linux-devel-2.37.4-10.cm2.aarch64.rpm
util-linux-libs-2.37.4-10.cm2.aarch64.rpm
tar-1.34-3.cm2.aarch64.rpm
xz-5.2.5-1.cm2.aarch64.rpm
xz-devel-5.2.5-1.cm2.aarch64.rpm
xz-lang-5.2.5-1.cm2.aarch64.rpm
xz-libs-5.2.5-1.cm2.aarch64.rpm
xz-5.2.5-2.cm2.aarch64.rpm
xz-devel-5.2.5-2.cm2.aarch64.rpm
xz-lang-5.2.5-2.cm2.aarch64.rpm
xz-libs-5.2.5-2.cm2.aarch64.rpm
zstd-1.5.4-1.cm2.aarch64.rpm
zstd-devel-1.5.4-1.cm2.aarch64.rpm
zstd-libs-1.5.4-1.cm2.aarch64.rpm
Expand Down
8 changes: 4 additions & 4 deletions toolkit/resources/manifests/package/pkggen_core_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,10 +70,10 @@ util-linux-2.37.4-10.cm2.x86_64.rpm
util-linux-devel-2.37.4-10.cm2.x86_64.rpm
util-linux-libs-2.37.4-10.cm2.x86_64.rpm
tar-1.34-3.cm2.x86_64.rpm
xz-5.2.5-1.cm2.x86_64.rpm
xz-devel-5.2.5-1.cm2.x86_64.rpm
xz-lang-5.2.5-1.cm2.x86_64.rpm
xz-libs-5.2.5-1.cm2.x86_64.rpm
xz-5.2.5-2.cm2.x86_64.rpm
xz-devel-5.2.5-2.cm2.x86_64.rpm
xz-lang-5.2.5-2.cm2.x86_64.rpm
xz-libs-5.2.5-2.cm2.x86_64.rpm
zstd-1.5.4-1.cm2.x86_64.rpm
zstd-devel-1.5.4-1.cm2.x86_64.rpm
zstd-libs-1.5.4-1.cm2.x86_64.rpm
Expand Down
10 changes: 5 additions & 5 deletions toolkit/resources/manifests/package/toolchain_aarch64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -579,11 +579,11 @@ util-linux-lang-2.37.4-10.cm2.aarch64.rpm
util-linux-libs-2.37.4-10.cm2.aarch64.rpm
which-2.21-8.cm2.aarch64.rpm
which-debuginfo-2.21-8.cm2.aarch64.rpm
xz-5.2.5-1.cm2.aarch64.rpm
xz-debuginfo-5.2.5-1.cm2.aarch64.rpm
xz-devel-5.2.5-1.cm2.aarch64.rpm
xz-lang-5.2.5-1.cm2.aarch64.rpm
xz-libs-5.2.5-1.cm2.aarch64.rpm
xz-5.2.5-2.cm2.aarch64.rpm
xz-debuginfo-5.2.5-2.cm2.aarch64.rpm
xz-devel-5.2.5-2.cm2.aarch64.rpm
xz-lang-5.2.5-2.cm2.aarch64.rpm
xz-libs-5.2.5-2.cm2.aarch64.rpm
zip-3.0-5.cm2.aarch64.rpm
zip-debuginfo-3.0-5.cm2.aarch64.rpm
zlib-1.2.13-2.cm2.aarch64.rpm
Expand Down
10 changes: 5 additions & 5 deletions toolkit/resources/manifests/package/toolchain_x86_64.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -585,11 +585,11 @@ util-linux-lang-2.37.4-10.cm2.x86_64.rpm
util-linux-libs-2.37.4-10.cm2.x86_64.rpm
which-2.21-8.cm2.x86_64.rpm
which-debuginfo-2.21-8.cm2.x86_64.rpm
xz-5.2.5-1.cm2.x86_64.rpm
xz-debuginfo-5.2.5-1.cm2.x86_64.rpm
xz-devel-5.2.5-1.cm2.x86_64.rpm
xz-lang-5.2.5-1.cm2.x86_64.rpm
xz-libs-5.2.5-1.cm2.x86_64.rpm
xz-5.2.5-2.cm2.x86_64.rpm
xz-debuginfo-5.2.5-2.cm2.x86_64.rpm
xz-devel-5.2.5-2.cm2.x86_64.rpm
xz-lang-5.2.5-2.cm2.x86_64.rpm
xz-libs-5.2.5-2.cm2.x86_64.rpm
zip-3.0-5.cm2.x86_64.rpm
zip-debuginfo-3.0-5.cm2.x86_64.rpm
zlib-1.2.13-2.cm2.x86_64.rpm
Expand Down
Loading