GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/1.2/patches/2224428/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2224428,
    "url": "http://patchwork.ozlabs.org/api/1.2/patches/2224428/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260417120641.174060-2-thomas.perale@mind.be/",
    "project": {
        "id": 27,
        "url": "http://patchwork.ozlabs.org/api/1.2/projects/27/?format=api",
        "name": "Buildroot development",
        "link_name": "buildroot",
        "list_id": "buildroot.buildroot.org",
        "list_email": "buildroot@buildroot.org",
        "web_url": "",
        "scm_url": "",
        "webscm_url": "",
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20260417120641.174060-2-thomas.perale@mind.be>",
    "list_archive_url": null,
    "date": "2026-04-17T12:06:41",
    "name": "[2/2,2025.02.x] package/xz: patch CVE-2026-34743",
    "commit_ref": null,
    "pull_url": null,
    "state": "accepted",
    "archived": false,
    "hash": "2fcc235912f5d20d6e995bbf55c476d5e0cb2a94",
    "submitter": {
        "id": 87308,
        "url": "http://patchwork.ozlabs.org/api/1.2/people/87308/?format=api",
        "name": "Thomas Perale",
        "email": "thomas.perale@mind.be"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260417120641.174060-2-thomas.perale@mind.be/mbox/",
    "series": [
        {
            "id": 500317,
            "url": "http://patchwork.ozlabs.org/api/1.2/series/500317/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=500317",
            "date": "2026-04-17T12:06:40",
            "name": "[1/2,2025.02.x] package/xz: add patch trailer",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/500317/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2224428/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2224428/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<buildroot-bounces@buildroot.org>",
        "X-Original-To": [
            "incoming-buildroot@patchwork.ozlabs.org",
            "buildroot@buildroot.org"
        ],
        "Delivered-To": [
            "patchwork-incoming-buildroot@legolas.ozlabs.org",
            "buildroot@buildroot.org"
        ],
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=nV/YNmhN;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"
        ],
        "Received": [
            "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxtsX2bBmz1yHp\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Fri, 17 Apr 2026 22:06:56 +1000 (AEST)",
            "from localhost (localhost [127.0.0.1])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 9222060DCB;\n\tFri, 17 Apr 2026 12:06:53 +0000 (UTC)",
            "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 2QKFuSL6xQNG; Fri, 17 Apr 2026 12:06:51 +0000 (UTC)",
            "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp3.osuosl.org (Postfix) with ESMTP id 7A76460DAD;\n\tFri, 17 Apr 2026 12:06:51 +0000 (UTC)",
            "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id 3B3DC396\n for <buildroot@buildroot.org>; Fri, 17 Apr 2026 12:06:49 +0000 (UTC)",
            "from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 1FFCA60DAD\n for <buildroot@buildroot.org>; Fri, 17 Apr 2026 12:06:49 +0000 (UTC)",
            "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id G3TiyEcXc01V for <buildroot@buildroot.org>;\n Fri, 17 Apr 2026 12:06:47 +0000 (UTC)",
            "from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com\n [IPv6:2a00:1450:4864:20::42a])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 549BF60766\n for <buildroot@buildroot.org>; Fri, 17 Apr 2026 12:06:47 +0000 (UTC)",
            "by mail-wr1-x42a.google.com with SMTP id\n ffacd0b85a97d-43eb012ac4fso380318f8f.0\n for <buildroot@buildroot.org>; Fri, 17 Apr 2026 05:06:47 -0700 (PDT)",
            "from arch ([79.132.232.220]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-43fe4e3a341sm4421878f8f.24.2026.04.17.05.06.43\n for <buildroot@buildroot.org>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 17 Apr 2026 05:06:44 -0700 (PDT)"
        ],
        "X-Virus-Scanned": [
            "amavis at osuosl.org",
            "amavis at osuosl.org"
        ],
        "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ",
        "DKIM-Filter": [
            "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 7A76460DAD",
            "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 549BF60766"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776427611;\n\tbh=F5bslr2VMalqzchaRbZBCqwjr46amdYDBVT5TSDJbfQ=;\n\th=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe:\n\t List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:\n\t From;\n\tb=nV/YNmhN7jttwWbNfiies3GDjU2uQl6OinB41XUd1jDflhYW3qfhZli4G4143I3At\n\t BgMEnBvBPhliqJp2gXHe+ddXOcu9gHlZKpRpoMQMNmeOVPbS3xHZUIJDD97s2n98ub\n\t ZlDqKeBa3VFTAGuZ5AXKDsXz3jIm3RmauIw8iaRXB6AYJrDqNWNO2Rg93qu8j5jIua\n\t ZzauWTw/GMeHl/scOUVPlLwNtws0AVqPpvH9IpBUiWScPH3VIuzFHk1EVxOcZa5Wog\n\t AukFnL1MZ1iL0LfWTS0E2yhMDRytfUAl24FeAblKkMM43D8XCjtoeXIF3msV2a6664\n\t JSPRGsXs0c/5Q==",
        "Received-SPF": "Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::42a; helo=mail-wr1-x42a.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=<UNKNOWN>",
        "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp3.osuosl.org 549BF60766",
        "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776427605; x=1777032405;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=72KJMHJsa1XZ0qrS593TYLuNljAFLWrZg1YbrQEhuec=;\n b=a1BD7RQyGJzGlcp+R09gB8wLGF0CHO7BoP6OjNhdX5hUye/OkGngUHmQirKFCiquGQ\n 8jsqIgOh94wAlOapGxqb7WbOBNCZmwkD0LxL055BP6PVNLOz9CPExYxvKTTFBG+mwq5+\n 1B8L9MHZuFBUzDGyeGvsOEaJpsIIFP/yKaHBTSnGEKLZGCdhwV0aHKyO52OJ2M2V3VRk\n F7z2Dl3hKFkGnfZlj91d2XozclQZQBX0v3Nmd8lQ8rge45Ca3Q3vY4EwFSn/L1L7d8V4\n xFGzNqbTvlz5a+mg3lvXCmluuaqDoi1FmuJ3iEMxicGvy3v3x0mvhX592BNk45tkgjOA\n i1Yg==",
        "X-Gm-Message-State": "AOJu0YweUiwIusUzOQQAmUR3vKLNQWP8xZ+Lo7/+30QYm06j33OiU6Ad\n O6MmZDZQLz5iLYwYidhRl6yM6Ybl5Fi2Mula1E/NqGP196nz+ks3N1a8L3UgqonRscQgboEHtAl\n bY24p",
        "X-Gm-Gg": "AeBDievaTg3fgP3yQ19Xmm1VP9HhgeT9pdoXH+R5UugmyfeY+t7qWRSA5M7ejilbqFd\n c+yc4NANPtNp68y9osXaIhpqgdcUWYB5WA+loGxLs8cS+KOxt5z4CntyQ5NUxLeIcHN/7Xvt8Cp\n /tm0pLvwKgAVPnnoNooRK125vAwpNgsfAI6zouGTZiR1wqIMoC5JFEDfDq7WRr+F226dkldZmZ3\n 2OTU8DQNcXfJwJImKZsuyLHlzDa72BHz03s/IZD1ReJm+uo4NKLSAyi1DHmZjqId/foK8P28coO\n qrmz45gXuiX3VyoFu0YFrIvcpnEMpDNCXxP585nC7TKk8DEHSQmJyAGoe9GJnus9Jp2IUwIFDqj\n CRRDo6feyCL7pmZMS0JcqCR8N1EEB8jAglqzpW5xkLrZWkEsZHTwFg7iWeNlXfpHVWzYxbYYNzB\n QY1isMyTFoXN+RDs7VWdby5L1sETY=",
        "X-Received": "by 2002:a05:6000:25ca:b0:43c:fde6:2126 with SMTP id\n ffacd0b85a97d-43fe3e0fde7mr3899852f8f.37.1776427604406;\n Fri, 17 Apr 2026 05:06:44 -0700 (PDT)",
        "To": "buildroot@buildroot.org",
        "Date": "Fri, 17 Apr 2026 14:06:41 +0200",
        "Message-ID": "<20260417120641.174060-2-thomas.perale@mind.be>",
        "X-Mailer": "git-send-email 2.53.0",
        "In-Reply-To": "<20260417120641.174060-1-thomas.perale@mind.be>",
        "References": "<20260417120641.174060-1-thomas.perale@mind.be>",
        "MIME-Version": "1.0",
        "X-Mailman-Original-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1776427605; x=1777032405; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:from:to:cc:subject:date:message-id\n :reply-to;\n bh=72KJMHJsa1XZ0qrS593TYLuNljAFLWrZg1YbrQEhuec=;\n b=MgU1+6thU6s6CjCyOw4q4U53LvsUqpEvnY9htV4q6j9PSwoXMsp7NdA1MRgxXNOuMJ\n Z1dZXdzaWxSkEiQG+AkTx7RYttDSoUqs992ShUqebnCB5/Fuce38gTRsg9xMsZ1Y0I9/\n UIMVy6UgjR8NT/CfYXdnBXvw3Wmy9s4c4tQnUljAMQU5xTk+fEzgY/hnL4IzWP1R+Nc4\n AbouUb9aMi3BOh2txto5F6YFC0qscC1cd/xO4xx2L+hCA/Knxq2I20nB6X3RZuWfPXYF\n 0hCiEiYFolbwtq85e3m2j9IuvkTfb/scRa9TDBTKOUO2bVDND0qieT9S9a8pXkSJuAMP\n Tb9A==",
        "X-Mailman-Original-Authentication-Results": [
            "smtp3.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be",
            "smtp3.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=MgU1+6th"
        ],
        "Subject": "[Buildroot] [PATCH 2/2 2025.02.x] package/xz: patch CVE-2026-34743",
        "X-BeenThere": "buildroot@buildroot.org",
        "X-Mailman-Version": "2.1.30",
        "Precedence": "list",
        "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>",
        "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>",
        "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>",
        "List-Post": "<mailto:buildroot@buildroot.org>",
        "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>",
        "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>",
        "From": "Thomas Perale via buildroot <buildroot@buildroot.org>",
        "Reply-To": "Thomas Perale <thomas.perale@mind.be>",
        "Content-Type": "text/plain; charset=\"us-ascii\"",
        "Content-Transfer-Encoding": "7bit",
        "Errors-To": "buildroot-bounces@buildroot.org",
        "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>"
    },
    "content": "- CVE-2026-34743:\n    XZ Utils provide a general-purpose data-compression library plus\n    command-line tools. Prior to version 5.8.3, if lzma_index_decoder()\n    was used to decode an Index that contained no Records, the resulting\n    lzma_index was left in a state where where a subsequent\n    lzma_index_append() would allocate too little memory, and a buffer\n    overflow would occur. This issue has been patched in version 5.8.3.\n\nFor more information, see:\n  - https://www.cve.org/CVERecord?id=CVE-2026-34743\n  - https://security-tracker.debian.org/tracker/CVE-2026-34743\n  - https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87\n\n(cherry picked from commit 724635227314010518372c5bad4d37d7c58950c1)\nSigned-off-by: Thomas Perale <thomas.perale@mind.be>\n---\n ...buffer-overflow-in-lzma-index-append.patch | 62 +++++++++++++++++++\n package/xz/xz.mk                              |  5 +-\n 2 files changed, 66 insertions(+), 1 deletion(-)\n create mode 100644 package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma-index-append.patch",
    "diff": "diff --git a/package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma-index-append.patch b/package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma-index-append.patch\nnew file mode 100644\nindex 0000000000..034122d4f7\n--- /dev/null\n+++ b/package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma-index-append.patch\n@@ -0,0 +1,62 @@\n+From c8c22869e780ff57c96b46939c3d79ff99395f87 Mon Sep 17 00:00:00 2001\n+From: Lasse Collin <lasse.collin@tukaani.org>\n+Date: Sun, 29 Mar 2026 19:11:21 +0300\n+Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append()\n+\n+If lzma_index_decoder() was used to decode an Index that contained no\n+Records, the resulting lzma_index had an invalid internal \"prealloc\"\n+value. If lzma_index_append() was called on this lzma_index, too\n+little memory would be allocated and a buffer overflow would occur.\n+\n+While this combination of the API functions is meant to work, in the\n+real-world apps this call sequence is rare or might not exist at all.\n+\n+This bug is older than xz 5.0.0, so all stable releases are affected.\n+\n+Reported-by: GitHub user christos-spearbit\n+CVE: CVE-2026-34743\n+Upstream: https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87\n+Signed-off-by: Thomas Perale <thomas.perale@mind.be>\n+---\n+ src/liblzma/common/index.c | 21 +++++++++++++++++++++\n+ 1 file changed, 21 insertions(+)\n+\n+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c\n+index 6add6a683..c4aadb9b0 100644\n+--- a/src/liblzma/common/index.c\n++++ b/src/liblzma/common/index.c\n+@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records)\n+ \tif (records > PREALLOC_MAX)\n+ \t\trecords = PREALLOC_MAX;\n+ \n++\t// If index_decoder.c calls us with records == 0, it's decoding\n++\t// an Index that has no Records. In that case the decoder won't call\n++\t// lzma_index_append() at all, and i->prealloc isn't used during\n++\t// the Index decoding either.\n++\t//\n++\t// Normally the first lzma_index_append() call from the Index decoder\n++\t// would reset i->prealloc to INDEX_GROUP_SIZE. With no Records,\n++\t// lzma_index_append() isn't called and the resetting of prealloc\n++\t// won't occur either. Thus, if records == 0, use the default value\n++\t// INDEX_GROUP_SIZE instead.\n++\t//\n++\t// NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2\n++\t// didn't have this check and could set i->prealloc = 0, which would\n++\t// result in a buffer overflow if the application called\n++\t// lzma_index_append() after decoding an empty Index. Appending\n++\t// Records after decoding an Index is a rare thing to do, but\n++\t// it is supposed to work.\n++\tif (records == 0)\n++\t\trecords = INDEX_GROUP_SIZE;\n++\n+ \ti->prealloc = (size_t)(records);\n+ \treturn;\n+ }\n+@@ -685,6 +705,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,\n+ \t\t++g->last;\n+ \t} else {\n+ \t\t// We need to allocate a new group.\n++\t\tassert(i->prealloc > 0);\n+ \t\tg = lzma_alloc(sizeof(index_group)\n+ \t\t\t\t+ i->prealloc * sizeof(index_record),\n+ \t\t\t\tallocator);\ndiff --git a/package/xz/xz.mk b/package/xz/xz.mk\nindex 60c2df70ee..205ab928a7 100644\n--- a/package/xz/xz.mk\n+++ b/package/xz/xz.mk\n@@ -22,7 +22,10 @@ HOST_XZ_ADD_CCACHE_DEPENDENCY = NO\n # 0002-liblzma-mt-dec-Simplify-by-removing-the-THR_STOP-sta.patch\n # 0003-liblzma-mt-dec-Don-t-free-the-input-buffer-too-early.patch\n # 0004-liblzma-mt-dec-Don-t-modify-thr-in_size-in-the-worke.patch\n-XZ_IGNORE_CVES = CVE-2025-31115\n+XZ_IGNORE_CVES += CVE-2025-31115\n+\n+# 0005-liblzma-Fix-a-buffer-overflow-in-lzma-index-append.patch\n+XZ_IGNORE_CVES += CVE-2026-34743\n \n XZ_CONF_OPTS = \\\n \t--enable-encoders=lzma1,lzma2,delta,x86,powerpc,ia64,arm,armthumb,arm64,sparc,riscv \\\n",
    "prefixes": [
        "2/2",
        "2025.02.x"
    ]
}