[{"id":3682130,"web_url":"http://patchwork.ozlabs.org/comment/3682130/","msgid":"<20260424163345.172428-1-thomas.perale@mind.be>","list_archive_url":null,"date":"2026-04-24T16:33:45","subject":"Re: [Buildroot] [PATCH-2025.02.x] package/xz: add upstream security\n fix for CVE-2026-34743","submitter":{"id":87308,"url":"http://patchwork.ozlabs.org/api/people/87308/","name":"Thomas Perale","email":"thomas.perale@mind.be"},"content":"Hi Peter,\n\nThanks for the submission I applied right now the following\nhttps://lore.kernel.org/r/<20260417120641.174060-2-thomas.perale@mind.be>\n\nI think the patch is the same.\n\nI tend to keep a small buffer for people to react to the patches I backport and\napply myself. If you think security backport should be applied faster let me\nknow.\n\nBest regards,\nPERALE Thomas\n\nIn reply of:\n> Fixes the following vulnerability:\n> \n> CVE-2026-34743: XZ Utils: Buffer overflow in lzma_index_append()\n> \n> If lzma_index_decoder() was used to decode an Index that contained no\n> Records, the resulting lzma_index was left in a state where where a\n> subsequent lzma_index_append() would allocate too little memory, and a\n> buffer overflow would occur.\n> \n> The lzma_index functions are rarely used by applications directly. In the\n> few applications that do use these functions, the combination of function\n> calls required to trigger this bug are unlikely to exist, because there\n> typically is no reason to append Records to a decoded lzma_index. Thus,\n> it's likely that this bug cannot be triggered in any real-world application.\n> \n> This bug is older than xz 5.0.0, so all stable releases are affected. The\n> issue has been fixed in XZ Utils 5.8.3 and in the Git repository branch\n> v5.8. The fix is also available in the Git repository branches v5.6, v5.4,\n> and v5.2, but no new releases will be made from these old branches.\n> \n> https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv\n> \n> Signed-off-by: Peter Korsgaard \n\n> ---\n> ...buffer-overflow-in-lzma_index_append.patch | 66 +++++++++++++++++++\n> package/xz/xz.mk | 3 +\n> 2 files changed, 69 insertions(+)\n> create mode 100644 package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch\n> \n> diff --git a/package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch b/package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch\n> new file mode 100644\n> index 0000000000..0555abb3f4\n> --- /dev/null\n> +++ b/package/xz/0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch\n> @@ -0,0 +1,66 @@\n> +From 8287299ba858bd7ee767fe6eabcc050574616bf4 Mon Sep 17 00:00:00 2001\n> +From: Lasse Collin \n> +Date: Sun, 29 Mar 2026 19:11:21 +0300\n> +Subject: [PATCH] liblzma: Fix a buffer overflow in lzma_index_append()\n> +\n> +If lzma_index_decoder() was used to decode an Index that contained no\n> +Records, the resulting lzma_index had an invalid internal \"prealloc\"\n> +value. If lzma_index_append() was called on this lzma_index, too\n> +little memory would be allocated and a buffer overflow would occur.\n> +\n> +While this combination of the API functions is meant to work, in the\n> +real-world apps this call sequence is rare or might not exist at all.\n> +\n> +This bug is older than xz 5.0.0, so all stable releases are affected.\n> +\n> +Reported-by: GitHub user christos-spearbit\n> +(cherry picked from commit c8c22869e780ff57c96b46939c3d79ff99395f87)\n> +CVE: CVE-2026-34743\n> +Upstream: https://github.com/tukaani-project/xz/commit/8287299ba858bd7ee767fe6eabcc050574616bf4\n> +Signed-off-by: Peter Korsgaard \n> +---\n> + src/liblzma/common/index.c | 21 +++++++++++++++++++++\n> + 1 file changed, 21 insertions(+)\n> +\n> +diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c\n> +index 6add6a68..c4aadb9b 100644\n> +--- a/src/liblzma/common/index.c\n> ++++ b/src/liblzma/common/index.c\n> +@@ -433,6 +433,26 @@ lzma_index_prealloc(lzma_index *i, lzma_vli records)\n> + \tif (records > PREALLOC_MAX)\n> + \t\trecords = PREALLOC_MAX;\n> + \n> ++\t// If index_decoder.c calls us with records == 0, it's decoding\n> ++\t// an Index that has no Records. In that case the decoder won't call\n> ++\t// lzma_index_append() at all, and i->prealloc isn't used during\n> ++\t// the Index decoding either.\n> ++\t//\n> ++\t// Normally the first lzma_index_append() call from the Index decoder\n> ++\t// would reset i->prealloc to INDEX_GROUP_SIZE. With no Records,\n> ++\t// lzma_index_append() isn't called and the resetting of prealloc\n> ++\t// won't occur either. Thus, if records == 0, use the default value\n> ++\t// INDEX_GROUP_SIZE instead.\n> ++\t//\n> ++\t// NOTE: lzma_index_append() assumes i->prealloc > 0. liblzma <= 5.8.2\n> ++\t// didn't have this check and could set i->prealloc = 0, which would\n> ++\t// result in a buffer overflow if the application called\n> ++\t// lzma_index_append() after decoding an empty Index. Appending\n> ++\t// Records after decoding an Index is a rare thing to do, but\n> ++\t// it is supposed to work.\n> ++\tif (records == 0)\n> ++\t\trecords = INDEX_GROUP_SIZE;\n> ++\n> + \ti->prealloc = (size_t)(records);\n> + \treturn;\n> + }\n> +@@ -685,6 +705,7 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,\n> + \t\t++g->last;\n> + \t} else {\n> + \t\t// We need to allocate a new group.\n> ++\t\tassert(i->prealloc > 0);\n> + \t\tg = lzma_alloc(sizeof(index_group)\n> + \t\t\t\t+ i->prealloc * sizeof(index_record),\n> + \t\t\t\tallocator);\n> +-- \n> +2.47.3\n> +\n> diff --git a/package/xz/xz.mk b/package/xz/xz.mk\n> index 60c2df70ee..d32c6f08f9 100644\n> --- a/package/xz/xz.mk\n> +++ b/package/xz/xz.mk\n> @@ -24,6 +24,9 @@ HOST_XZ_ADD_CCACHE_DEPENDENCY = NO\n> # 0004-liblzma-mt-dec-Don-t-modify-thr-in_size-in-the-worke.patch\n> XZ_IGNORE_CVES = CVE-2025-31115\n> \n> +# 0005-liblzma-Fix-a-buffer-overflow-in-lzma_index_append.patch\n> +XZ_IGNORE_CVES += CVE-2026-34743\n> +\n> XZ_CONF_OPTS = \\\n> \t--enable-encoders=lzma1,lzma2,delta,x86,powerpc,ia64,arm,armthumb,arm64,sparc,riscv \\\n> \t--enable-decoders=lzma1,lzma2,delta,x86,powerpc,ia64,arm,armthumb,arm64,sparc,riscv \\\n> -- \n> 2.47.3\n> \n> _______________________________________________\n> buildroot mailing list\n> buildroot@buildroot.org\n> https://lists.buildroot.org/mailman/listinfo/buildroot","headers":{"Return-Path":"","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=bTSnctZP;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g2JSJ5FHBz1yD5\n\tfor ;\n Sat, 25 Apr 2026 02:33:52 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 2E92B84D6A;\n\tFri, 24 Apr 2026 16:33:51 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id s_2-FFQsvYPw; Fri, 24 Apr 2026 16:33:50 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id 44F7F84D6B;\n\tFri, 24 Apr 2026 16:33:50 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n by lists1.osuosl.org (Postfix) with ESMTP id 2E1AC206\n for ; Fri, 24 Apr 2026 16:33:49 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 2B0C261C33\n for ; Fri, 24 Apr 2026 16:33:49 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id zXRotFHVZuNx for ;\n Fri, 24 Apr 2026 16:33:48 +0000 (UTC)","from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com\n [IPv6:2a00:1450:4864:20::32c])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 06BBA61C32\n for ; Fri, 24 Apr 2026 16:33:47 +0000 (UTC)","by mail-wm1-x32c.google.com with SMTP id\n 5b1f17b1804b1-488d2079582so94033265e9.2\n for ; Fri, 24 Apr 2026 09:33:47 -0700 (PDT)","from arch ([79.132.248.48]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48a52d232afsm104772695e9.31.2026.04.24.09.33.45\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 24 Apr 2026 09:33:45 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver= ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp1.osuosl.org 44F7F84D6B","OpenDKIM Filter v2.11.0 smtp3.osuosl.org 06BBA61C32"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1777048430;\n\tbh=JqCLe0Unmo4dpjfuRSXHdjBnPb7BvNEJuzWO1JCNv2g=;\n\th=To:Cc:Date:In-Reply-To:References:Subject:List-Id:\n\t List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:\n\t From:Reply-To:From;\n\tb=bTSnctZPxSxp44+OJBUciFFeWiTQPHDNVa4XZftQUX0y69LuONSXGOR7HUtB4L7ss\n\t K8uNvdzHpvksmtmMJOl8MykWjcSIr10G4MbfatXeNLJ4A4GppYAZuFb2f94EajGrEH\n\t 1XU6RPW7rs0qHcKokklzYF2K9AuxZMMtx/myw4to7MrjVev05INdN2B38RRDTaemKe\n\t VsQ27tgSevdu0Tt4aBN4uXXJtq7T0VJGh1GbgokbOCZ0ZAZrXOCeAeso+y843bsiog\n\t wh659ccYyG9q1OxkNfNyZm1CNsfoXukoHEA2+JCfsZDflT3i8R8u2Z6IljWxDFdfYj\n\t bdhz69Zw1ymew==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::32c; helo=mail-wm1-x32c.google.com;\n envelope-from=thomas.perale@essensium.com; receiver=","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp3.osuosl.org 06BBA61C32","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777048426; x=1777653226;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=5wKVenRKLQoWOUipgFvma2Ri+aVeaWdiFyuJMZ9fqFo=;\n b=nDtova7JKxnNFIKGh709uyoIVtXhaYxnlZsV1yvBLC7MfAfk9pEy+ZU9m+WRo9Cb0i\n DUwW8x2aAY5lxxDr71xHODzvzdfuLOJuWbcW5qGAsLVC9vLHTeFi0l1w+4bafmF4ULLN\n 1v0VvMgYv0EI7xtUTE1uUuUAwIaK0HVh8PtEERPll2i3Q3Fw4MvTetYDXez+z2fo149K\n L/WsWOY+J7gUrjjQnMCjbApzvjCG6oE9Dp/BfxyS7fX1N36zc2wR3B9Ke+0VALBW3TnE\n AppxCB4RqllkwMUltQeIfe4KLkm/nbj3AUGFbqMeYlmpx6tSnd2ds5H2LI+NGX3NqkY3\n 7kuA==","X-Forwarded-Encrypted":"i=1;\n AFNElJ88bJkUjKuEf+qch0z7aKEKGVEtISBPuJm/uMssApFIG/FyCTaC07b1uRr9YNkBd3qFxy49iBJtXAI=@buildroot.org","X-Gm-Message-State":"AOJu0YwjU5cqnR1CiLDf39xhRMbeDW5iJVxHrhHSwBxg/F2Z2+0xLYL1\n XHWL1LzhFXu54Iss9R6D/BNEcfbUiRneB8p/ML3vcsLpW35MAfenanvgFrCuHZhf9oq5AQHPNMJ\n 1rDgR","X-Gm-Gg":"AeBDiesPbOFqdgmCt0GcPs1dMOKamp2G1v7Eu6hwHtCvEkncqd3z6p3Odgokkl91WfZ\n 9RWbwn3tI5uPckKa+Si6sgGihVD7A1qMO/xPzcd/ekNWtXHib5XjIQakVBnfn5sBcs/K17pLNOz\n yVthKayO376m/jb3ZiZ7Xy83yN0OLLG0lppFbszNtobbpyM5lmk3gnSADdwJG29zl/hMyjWi2bS\n 1AyOlpfa9H1ms/6WjnszYCh1EEf7RIJnQ316ATYxKDsU1moUFbCK3QJvYUv6q9Y9XDHYg3ngw/s\n XIOkW7Lij9+Bjc1t9NcHiK9WT6E2hMemJXgr8YfjSJxwAJirIVST9x1sbViVB8PgSfGTeusDh+Y\n VZGPHIbvCsEE6szmEfnDOteRxvIGWXoUS3Ilwfi5vNg1Z3Y80zivJSPQ0ILIFFMwUT5NYTbRLZB\n VgkIzhlbQAYRETs191/7ZIBoRy0w==","X-Received":"by 2002:a05:600c:c177:b0:488:a82f:bba9 with SMTP id\n 5b1f17b1804b1-488fb7804f3mr435811475e9.22.1777048425885;\n Fri, 24 Apr 2026 09:33:45 -0700 (PDT)","To":"Peter Korsgaard ","Cc":"Thomas Perale ,\n\tbuildroot@buildroot.org","Date":"Fri, 24 Apr 2026 18:33:45 +0200","Message-ID":"<20260424163345.172428-1-thomas.perale@mind.be>","X-Mailer":"git-send-email 2.54.0","In-Reply-To":"<20260424134443.3420911-1-peter@korsgaard.com>","References":"<20260424134443.3420911-1-peter@korsgaard.com>","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1777048426; x=1777653226; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=5wKVenRKLQoWOUipgFvma2Ri+aVeaWdiFyuJMZ9fqFo=;\n b=OI+/YfUrCnPMLiJQXvnhlfMPGHZ+wULP9jSe4B/HdWE197rNTPNFrX6PQGz7ZZljFR\n /xCe3qooAP/4Fgt+punyRFMyTXSmnxSnhlrR56Vh9Rpc0OfutU/Vv9JpP5q8HKHIwke1\n 6tcLQF4cPCiW3v55Lyaq7QLSatVwnyj9YFwmT6/hOYBuu7MJVfGoSGaEunrAKVbBkqDp\n QUelOWB47XZqmRN1hc5Z0P6JRxtDhH0aUSIQrIzxCnXneGFWk0tne6jSnZ2yI2QFpKjg\n PJOiUq00bfK28Iuq2gHLGr3DXwZcMXeHIYZxpS+0wNAsKfeTyWCZ4xk/GPJvQY3s6det\n l8vg==","X-Mailman-Original-Authentication-Results":["smtp3.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp3.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=OI+/YfUr"],"Subject":"Re: [Buildroot] [PATCH-2025.02.x] package/xz: add upstream security\n fix for CVE-2026-34743","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","From":"Thomas Perale via buildroot ","Reply-To":"Thomas Perale ","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" "}}]