Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2227925/?format=api
{ "id": 2227925, "url": "http://patchwork.ozlabs.org/api/patches/2227925/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/patch/20260424134443.3420911-1-peter@korsgaard.com/", "project": { "id": 27, "url": "http://patchwork.ozlabs.org/api/projects/27/?format=api", "name": "Buildroot development", "link_name": "buildroot", "list_id": "buildroot.buildroot.org", "list_email": "buildroot@buildroot.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260424134443.3420911-1-peter@korsgaard.com>", "list_archive_url": null, "date": "2026-04-24T13:44:42", "name": "[PATCH-2025.02.x] package/xz: add upstream security fix for CVE-2026-34743", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": false, "hash": "1bd170aff0e3e5709f8f55dd9525a560d4a4f2f2", "submitter": { "id": 42365, "url": "http://patchwork.ozlabs.org/api/people/42365/?format=api", "name": "Peter Korsgaard", "email": "peter@korsgaard.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/buildroot/patch/20260424134443.3420911-1-peter@korsgaard.com/mbox/", "series": [ { "id": 501368, "url": "http://patchwork.ozlabs.org/api/series/501368/?format=api", "web_url": "http://patchwork.ozlabs.org/project/buildroot/list/?series=501368", "date": "2026-04-24T13:44:42", "name": "[PATCH-2025.02.x] package/xz: add upstream security fix for CVE-2026-34743", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501368/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2227925/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2227925/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<buildroot-bounces@buildroot.org>", "X-Original-To": [ "incoming-buildroot@patchwork.ozlabs.org", "buildroot@buildroot.org" ], "Delivered-To": [ "patchwork-incoming-buildroot@legolas.ozlabs.org", "buildroot@buildroot.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=nPxnHZ3J;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)" ], "Received": [ "from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2DjQ3qZLz1xvV\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Fri, 24 Apr 2026 23:44:58 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 160F2401E1;\n\tFri, 24 Apr 2026 13:44:56 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id VKCqw25ZBIOF; Fri, 24 Apr 2026 13:44:55 +0000 (UTC)", "from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 216C640015;\n\tFri, 24 Apr 2026 13:44:55 +0000 (UTC)", "from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])\n by lists1.osuosl.org (Postfix) with ESMTP id 0A4B124D\n for <buildroot@buildroot.org>; Fri, 24 Apr 2026 13:44:53 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id E34F561B21\n for <buildroot@buildroot.org>; Fri, 24 Apr 2026 13:44:52 +0000 (UTC)", "from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id IyIoiAShVh8n for <buildroot@buildroot.org>;\n Fri, 24 Apr 2026 13:44:51 +0000 (UTC)", "from sendmail.purelymail.com (sendmail.purelymail.com\n [34.202.193.197])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 4741661B1F\n for <buildroot@buildroot.org>; Fri, 24 Apr 2026 13:44:50 +0000 (UTC)", "by smtp.purelymail.com (Purelymail SMTP) with ESMTPSA id 457758527;\n (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384);\n Fri, 24 Apr 2026 13:44:45 +0000 (UTC)", "from peko by dell.be.48ers.dk with local (Exim 4.98.2)\n (envelope-from <peko@dell.be.48ers.dk>) id 1wGGpo-0000000ELwG-1J3S;\n Fri, 24 Apr 2026 15:44:44 +0200" ], "X-Virus-Scanned": [ "amavis at osuosl.org", "amavis at osuosl.org" ], "X-Comment": "SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ", "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 smtp4.osuosl.org 216C640015", "OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4741661B1F" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777038295;\n\tbh=sxnrMTG4nwBXD3+tALw8j04mVirGFRsswyWoZi6tjJ4=;\n\th=From:To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From;\n\tb=nPxnHZ3J7gzS9yZBFVonvWgkwVEoV9WUXevWw3O/PoHD7D4OyI9PDEB5v+pE+Wt6E\n\t z1YfdDaUAd3cZxuVFgkkvpD70Wd0Is+iUwGe9JRR6h0j0EgIoh/Z58LOXIuuRVupR5\n\t 8K1cVJHrGFR1jRCzxB3Tlt0qqoqiQETQI2olys2REjYm26rPXul6USfIJXi5nEDKVF\n\t 9aC8BGYOplELMBt2ZGVPpJIDvJ5NpOF1kZ/m0uASQQ7Z5KPi+xDmjpxrkHZzG5A+pr\n\t kmIkpD5nc3/ep1oME1wpGtBB05h24h4tIHqJ+1hiR9cCTwD6340mUtDc8K2wD6jQjx\n\t ZTODYjAHMTstw==", "Received-SPF": "Pass (mailfrom) identity=mailfrom; client-ip=34.202.193.197;\n helo=sendmail.purelymail.com; envelope-from=peko@korsgaard.com;\n receiver=<UNKNOWN>", "DMARC-Filter": "OpenDMARC Filter v1.4.2 smtp3.osuosl.org 4741661B1F", "Feedback-ID": "21632:4007:null:purelymail", "X-Pm-Original-To": "buildroot@buildroot.org", "From": "Peter Korsgaard <peter@korsgaard.com>", "To": "buildroot@buildroot.org", "Date": "Fri, 24 Apr 2026 15:44:42 +0200", "Message-ID": "<20260424134443.3420911-1-peter@korsgaard.com>", "X-Mailer": "git-send-email 2.47.3", "MIME-Version": "1.0", "X-MIME-Autoconverted": "from 8bit to quoted-printable by Purelymail", "X-Mailman-Original-DKIM-Signature": "a=rsa-sha256;\n b=V4LnEv8rIbPBVjO3QwSEKVA/tHZMFNuh3M3AZ+wzEvsacOTzwsJpfwDfz2rLCfAU5bUDw81GW49zobZbqKl2eOboSoPpHDkSgWOK5t0kj+Lj/8T+/9w6FvfmdHK4fxYRk4sGb1oqbgzF9CzdxPuB7OMw0OOgha3CYc9sli1ZAp+FTShwU8vBmh7VBY3AK5sw5OCd0av6nS3mhVnE1NBYMhJ88mZOtbi81lhYg9irzWw2/zve1tIXJl9puDKl/kMGlu3pNaR+Rjbpxolk/9L7sMbw35KU0UeEsCQ4NqaVXEuLzVdhLrMghzDq6MbjWKr/b+JS8rfujoKiwcOu93c5vA==;\n s=purelymail2; d=purelymail.com; v=1;\n bh=4xY+fPlPZgexF5dJplzImvQzRHdbDAcWhVEjtPrKx/s=;\n h=Feedback-ID:Received:Received:From:To:Subject:Date;", "X-Mailman-Original-Authentication-Results": [ "smtp3.osuosl.org;\n dmarc=none (p=none dis=none)\n header.from=korsgaard.com", "smtp3.osuosl.org;\n dkim=pass (2048-bit key,\n unprotected) header.d=purelymail.com header.i=@purelymail.com\n header.a=rsa-sha256 header.s=purelymail2 header.b=V4LnEv8r", "purelymail.com; auth=pass" ], "Subject": "[Buildroot] [PATCH-2025.02.x] package/xz: add upstream security fix\n for CVE-2026-34743", "X-BeenThere": "buildroot@buildroot.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Discussion and development of buildroot <buildroot.buildroot.org>", "List-Unsubscribe": "<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>", "List-Archive": "<http://lists.buildroot.org/pipermail/buildroot/>", "List-Post": "<mailto:buildroot@buildroot.org>", "List-Help": "<mailto:buildroot-request@buildroot.org?subject=help>", "List-Subscribe": "<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "buildroot-bounces@buildroot.org", "Sender": "\"buildroot\" <buildroot-bounces@buildroot.org>" }, "content": "Fixes the following vulnerability:\n\nCVE-2026-34743: XZ Utils: Buffer overflow in lzma_index_append()\n\nIf lzma_index_decoder() was used to decode an Index that contained no\nRecords, the resulting lzma_index was left in a state where where a\nsubsequent lzma_index_append() would allocate too little memory, and a\nbuffer overflow would occur.\n\nThe lzma_index functions are rarely used by applications directly. In the\nfew applications that do use these functions, the combination of function\ncalls required to trigger this bug are unlikely to exist, because there\ntypically is no reason to append Records to a decoded lzma_index. Thus,\nit's likely that this bug cannot be triggered in any real-world application.\n\nThis bug is older than xz 5.0.0, so all stable releases are affected. The\nissue has been fixed in XZ Utils 5.8.3 and in the Git repository branch\nv5.8. The fix is also available in the Git repository branches v5.6, v5.4,\nand v5.2, but no new releases will be made from these old branches.\n\nhttps://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv\n\nSigned-off-by: Peter Korsgaard <peter@korsgaard.com>\n---\n ...buffer-overflow-in-lzma_index_append.patch | 66 +++++++++++++++++++\n package/xz/xz.mk | 3 +\n 2 files changed, 69 insertions(+)\n create mode 100644 package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch", "diff": "diff --git a/package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch b/package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch\nnew file mode 100644\nindex 0000000000..0555abb3f4\n--- /dev/null\n+++ b/package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch\n@@ -0,0 +1,66 @@\n+From 8287299ba858bd7ee767fe6eabcc050574616bf4 Mon Sep 17 00:00:00 2001\n+From: Lasse Collin <lasse.collin@tukaani.org>\n+Date: Sun, 29 Mar 2026 19:11:21 +0300\n+Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append()\n+\n+If lzma_index_decoder() was used to decode an Index that contained no\n+Records, the resulting lzma_index had an invalid internal \"prealloc\"\n+value. If lzma_index_append() was called on this lzma_index, too\n+little memory would be allocated and a buffer overflow would occur.\n+\n+While this combination of the API functions is meant to work, in the\n+real-world apps this call sequence is rare or might not exist at all.\n+\n+This bug is older than xz 5.0.0, so all stable releases are affected.\n+\n+Reported-by: GitHub user christos-spearbit\n+(cherry picked from commit c8c22869e780ff57c96b46939c3d79ff99395f87)\n+CVE: CVE-2026-34743\n+Upstream: https://github.com/tukaani-project/xz/commit/8287299ba858bd7ee767fe6eabcc050574616bf4\n+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>\n+---\n+ src/liblzma/common/index.c | 21 +++++++++++++++++++++\n+ 1 file changed, 21 insertions(+)\n+\n+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c\n+index 6add6a68..c4aadb9b 100644\n+--- a/src/liblzma/common/index.c\n++++ b/src/liblzma/common/index.c\n+@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records)\n+ \tif (records > PREALLOC_MAX)\n+ \t\trecords = PREALLOC_MAX;\n+ \n++\t// If index_decoder.c calls us with records == 0, it's decoding\n++\t// an Index that has no Records. In that case the decoder won't call\n++\t// lzma_index_append() at all, and i->prealloc isn't used during\n++\t// the Index decoding either.\n++\t//\n++\t// Normally the first lzma_index_append() call from the Index decoder\n++\t// would reset i->prealloc to INDEX_GROUP_SIZE. With no Records,\n++\t// lzma_index_append() isn't called and the resetting of prealloc\n++\t// won't occur either. Thus, if records == 0, use the default value\n++\t// INDEX_GROUP_SIZE instead.\n++\t//\n++\t// NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2\n++\t// didn't have this check and could set i->prealloc = 0, which would\n++\t// result in a buffer overflow if the application called\n++\t// lzma_index_append() after decoding an empty Index. Appending\n++\t// Records after decoding an Index is a rare thing to do, but\n++\t// it is supposed to work.\n++\tif (records == 0)\n++\t\trecords = INDEX_GROUP_SIZE;\n++\n+ \ti->prealloc = (size_t)(records);\n+ \treturn;\n+ }\n+@@ -685,6 +705,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,\n+ \t\t++g->last;\n+ \t} else {\n+ \t\t// We need to allocate a new group.\n++\t\tassert(i->prealloc > 0);\n+ \t\tg = lzma_alloc(sizeof(index_group)\n+ \t\t\t\t+ i->prealloc * sizeof(index_record),\n+ \t\t\t\tallocator);\n+-- \n+2.47.3\n+\ndiff --git a/package/xz/xz.mk b/package/xz/xz.mk\nindex 60c2df70ee..d32c6f08f9 100644\n--- a/package/xz/xz.mk\n+++ b/package/xz/xz.mk\n@@ -24,6 +24,9 @@ HOST_XZ_ADD_CCACHE_DEPENDENCY = NO\n # 0004-liblzma-mt-dec-Don-t-modify-thr-in_size-in-the-worke.patch\n XZ_IGNORE_CVES = CVE-2025-31115\n \n+# 0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch\n+XZ_IGNORE_CVES += CVE-2026-34743\n+\n XZ_CONF_OPTS = \\\n \t--enable-encoders=lzma1,lzma2,delta,x86,powerpc,ia64,arm,armthumb,arm64,sparc,riscv \\\n \t--enable-decoders=lzma1,lzma2,delta,x86,powerpc,ia64,arm,armthumb,arm64,sparc,riscv \\\n", "prefixes": [ "PATCH-2025.02.x" ] }