diff --git a/SPECS/xz/CVE-2026-34743.patch b/SPECS/xz/CVE-2026-34743.patch new file mode 100644 index 00000000000..a1fe0b4a78d --- /dev/null +++ b/SPECS/xz/CVE-2026-34743.patch @@ -0,0 +1,65 @@ +From c34a1e28809d781ec77ebcae1b2d13e8d09bc329 Mon Sep 17 00:00:00 2001 +From: Lasse Collin +Date: Sun, 29 Mar 2026 19:11:21 +0300 +Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append() + +If lzma_index_decoder() was used to decode an Index that contained no +Records, the resulting lzma_index had an invalid internal "prealloc" +value. If lzma_index_append() was called on this lzma_index, too +little memory would be allocated and a buffer overflow would occur. + +While this combination of the API functions is meant to work, in the +real-world apps this call sequence is rare or might not exist at all. + +This bug is older than xz 5.0.0, so all stable releases are affected. + +Reported-by: GitHub user christos-spearbit +(cherry picked from commit c8c22869e780ff57c96b46939c3d79ff99395f87) +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/tukaani-project/xz/commit/8538443d08591693a8c61f3a03656650f39c7c32.patch +--- + src/liblzma/common/index.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c +index 97cc9f9..e44dacc 100644 +--- a/src/liblzma/common/index.c ++++ b/src/liblzma/common/index.c +@@ -434,6 +434,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records) + if (records > PREALLOC_MAX) + records = PREALLOC_MAX; + ++ // If index_decoder.c calls us with records == 0, it's decoding ++ // an Index that has no Records. In that case the decoder won't call ++ // lzma_index_append() at all, and i->prealloc isn't used during ++ // the Index decoding either. ++ // ++ // Normally the first lzma_index_append() call from the Index decoder ++ // would reset i->prealloc to INDEX_GROUP_SIZE. With no Records, ++ // lzma_index_append() isn't called and the resetting of prealloc ++ // won't occur either. Thus, if records == 0, use the default value ++ // INDEX_GROUP_SIZE instead. ++ // ++ // NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2 ++ // didn't have this check and could set i->prealloc = 0, which would ++ // result in a buffer overflow if the application called ++ // lzma_index_append() after decoding an empty Index. Appending ++ // Records after decoding an Index is a rare thing to do, but ++ // it is supposed to work. ++ if (records == 0) ++ records = INDEX_GROUP_SIZE; ++ + i->prealloc = (size_t)(records); + return; + } +@@ -680,6 +700,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator, + ++g->last; + } else { + // We need to allocate a new group. ++ assert(i->prealloc > 0); + g = lzma_alloc(sizeof(index_group) + + i->prealloc * sizeof(index_record), + allocator); +-- +2.45.4 + diff --git a/SPECS/xz/xz.spec b/SPECS/xz/xz.spec index 19bd404ca66..fe779428cbf 100644 --- a/SPECS/xz/xz.spec +++ b/SPECS/xz/xz.spec @@ -1,7 +1,7 @@ Summary: Programs for compressing and decompressing files Name: xz Version: 5.4.4 -Release: 2%{?dist} +Release: 3%{?dist} URL: https://tukaani.org/xz License: GPLv2+ and GPLv3+ and LGPLv2+ Group: Applications/File @@ -9,6 +9,7 @@ Vendor: Microsoft Corporation Distribution: Azure Linux Source0: https://tukaani.org/xz/%{name}-%{version}.tar.xz Patch0: CVE-2025-31115.patch +Patch1: CVE-2026-34743.patch Provides: xz-lzma-compat = %{version}-%{release} Provides: lzma = %{version}-%{release} Requires: xz-libs = %{version}-%{release} @@ -94,10 +95,13 @@ make %{?_smp_mflags} check %{_mandir}/uk/man1/* %files devel +%license COPYING COPYING.GPLv2 %{_includedir}/lzma.h %{_includedir}/lzma/*.h %{_libdir}/pkgconfig/liblzma.pc %{_libdir}/liblzma.so +%exclude %{_defaultdocdir}/%{name}-%{version}/COPYING +%exclude %{_defaultdocdir}/%{name}-%{version}/COPYING.GPLv2 %{_defaultdocdir}/%{name}-%{version}/* %files libs @@ -107,6 +111,9 @@ make %{?_smp_mflags} check %defattr(-,root,root) %changelog +* Fri Apr 03 2026 Azure Linux Security Servicing Account - 5.4.4-3 +- Patch for CVE-2026-34743 + * Tue Apr 1 2025 Jon Slobodzian - 5.4.4-2 - Patch for CVE-2025-31115 diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt index 9098d9f4885..d47530db29d 100644 --- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt @@ -74,10 +74,10 @@ util-linux-2.40.2-3.azl3.aarch64.rpm util-linux-devel-2.40.2-3.azl3.aarch64.rpm util-linux-libs-2.40.2-3.azl3.aarch64.rpm tar-1.35-2.azl3.aarch64.rpm -xz-5.4.4-2.azl3.aarch64.rpm -xz-devel-5.4.4-2.azl3.aarch64.rpm -xz-lang-5.4.4-2.azl3.aarch64.rpm -xz-libs-5.4.4-2.azl3.aarch64.rpm +xz-5.4.4-3.azl3.aarch64.rpm +xz-devel-5.4.4-3.azl3.aarch64.rpm +xz-lang-5.4.4-3.azl3.aarch64.rpm +xz-libs-5.4.4-3.azl3.aarch64.rpm zstd-1.5.5-2.azl3.aarch64.rpm zstd-devel-1.5.5-2.azl3.aarch64.rpm zstd-libs-1.5.5-2.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt index 6ca4eaff965..f19ae23f52e 100644 --- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt +++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt @@ -74,10 +74,10 @@ util-linux-2.40.2-3.azl3.x86_64.rpm util-linux-devel-2.40.2-3.azl3.x86_64.rpm util-linux-libs-2.40.2-3.azl3.x86_64.rpm tar-1.35-2.azl3.x86_64.rpm -xz-5.4.4-2.azl3.x86_64.rpm -xz-devel-5.4.4-2.azl3.x86_64.rpm -xz-lang-5.4.4-2.azl3.x86_64.rpm -xz-libs-5.4.4-2.azl3.x86_64.rpm +xz-5.4.4-3.azl3.x86_64.rpm +xz-devel-5.4.4-3.azl3.x86_64.rpm +xz-lang-5.4.4-3.azl3.x86_64.rpm +xz-libs-5.4.4-3.azl3.x86_64.rpm zstd-1.5.5-2.azl3.x86_64.rpm zstd-devel-1.5.5-2.azl3.x86_64.rpm zstd-libs-1.5.5-2.azl3.x86_64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt index cd181dd1523..bff8bec2101 100644 --- a/toolkit/resources/manifests/package/toolchain_aarch64.txt +++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt @@ -606,11 +606,11 @@ util-linux-lang-2.40.2-3.azl3.aarch64.rpm util-linux-libs-2.40.2-3.azl3.aarch64.rpm which-2.21-8.azl3.aarch64.rpm which-debuginfo-2.21-8.azl3.aarch64.rpm -xz-5.4.4-2.azl3.aarch64.rpm -xz-debuginfo-5.4.4-2.azl3.aarch64.rpm -xz-devel-5.4.4-2.azl3.aarch64.rpm -xz-lang-5.4.4-2.azl3.aarch64.rpm -xz-libs-5.4.4-2.azl3.aarch64.rpm +xz-5.4.4-3.azl3.aarch64.rpm +xz-debuginfo-5.4.4-3.azl3.aarch64.rpm +xz-devel-5.4.4-3.azl3.aarch64.rpm +xz-lang-5.4.4-3.azl3.aarch64.rpm +xz-libs-5.4.4-3.azl3.aarch64.rpm zip-3.0-6.azl3.aarch64.rpm zip-debuginfo-3.0-6.azl3.aarch64.rpm zlib-1.3.2-1.azl3.aarch64.rpm diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt index ee32ff7c912..dc89e79dd20 100644 --- a/toolkit/resources/manifests/package/toolchain_x86_64.txt +++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt @@ -614,11 +614,11 @@ util-linux-lang-2.40.2-3.azl3.x86_64.rpm util-linux-libs-2.40.2-3.azl3.x86_64.rpm which-2.21-8.azl3.x86_64.rpm which-debuginfo-2.21-8.azl3.x86_64.rpm -xz-5.4.4-2.azl3.x86_64.rpm -xz-debuginfo-5.4.4-2.azl3.x86_64.rpm -xz-devel-5.4.4-2.azl3.x86_64.rpm -xz-lang-5.4.4-2.azl3.x86_64.rpm -xz-libs-5.4.4-2.azl3.x86_64.rpm +xz-5.4.4-3.azl3.x86_64.rpm +xz-debuginfo-5.4.4-3.azl3.x86_64.rpm +xz-devel-5.4.4-3.azl3.x86_64.rpm +xz-lang-5.4.4-3.azl3.x86_64.rpm +xz-libs-5.4.4-3.azl3.x86_64.rpm zip-3.0-6.azl3.x86_64.rpm zip-debuginfo-3.0-6.azl3.x86_64.rpm zlib-1.3.2-1.azl3.x86_64.rpm