heise PlusAbo
Anzeige

XZ Utils 5.8.3: Security update with unclear risk

The developers of the widely used XZ Utils have released an updated version that patches security vulnerabilities.

listen Print view
Finger tapping on update button

(Image: heise online / dmk)

2 min. read
Security
By

Version 5.8.3 of XZ Utils patches security vulnerabilities, among other things. There is disagreement about their severity. For security reasons, admins should look for updated packages and install them promptly.

The release announcement for XZ Utils 5.8.3 lists the changes. It fixes a vulnerability in the lzma_index_append() function, which can lead to a buffer overflow – "under conditions that likely don't exist in any real-world application", as the programmers write (CVE-2026-34743). "The lzma_index functions are rarely used by applications directly. In the few applications that do use these functions, the combination of function calls required to trigger this bug are unlikely to exist, because there typically is no reason to append Records to a decoded lzma_index," they assess.

On the OSS-Sec mailing list, Gentoo developer Sam James agrees with the assessment that the vulnerability requires unusual use of a rarely called API. The IT security company Tenable, however, rates the vulnerability as risk level "critical". The CERT-Bund from the Federal Office for Information Security (BSI) also arrives at a CVSS score of 9.8 with risk "critical".

XZ Utils: Further vulnerability corrected

The updated version of XZ Utils also corrects a problem that can lead to memory access in areas not intended for it – at least on 32-bit systems and with some preconditions. The vulnerability has not received a CVE entry.

Videos by heise

The security vulnerability CVE-2026-34743 affects XZ Utils from version 5.0.0 onwards. The developers are not releasing new versions of the 5.2.x, 5.4.x, or 5.6.x development branches, but have incorporated the bug fixes into the xz Git repository. If necessary, affected parties can obtain the current sources there and compile them themselves.

IT managers should check for the availability of updated XZ Util packages in their deployed distributions and apply them promptly. Slackware has updated xz in the meantime. Debian lists the vulnerable distribution versions but has not yet made a risk assessment and does not yet offer updated packages.

Two years ago, the compression library xz was the cause of a near-disaster. Intelligence agents smuggled backdoors into the code, which is used as a basic component by many other software applications.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten