Debian Xz-Utils vulnerabilities

CVE-2026-34743 [LOW] CVE-2026-34743: xz-utils - XZ Utils provide a general-purpose data-compression library plus command-line to... XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been p

CVE-2025-31115 [HIGH] CVE-2025-31115: xz-utils - XZ Utils provide a general-purpose data-compression library plus command-line to... XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use th

CVE-2024-3094 [CRITICAL] CVE-2024-3094: xz-utils - Malicious code was discovered in the upstream tarballs of xz, starting with vers... Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that c

CVE-2024-47611 [MEDIUM] CVE-2024-47611: xz-utils - XZ Utils provide a general-purpose data-compression library plus command-line to... XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, t

CVE-2022-1271 [HIGH] CVE-2022-1271: gzip - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. Whe... An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content

CVE-2015-4035 [HIGH] CVE-2015-4035: xz-utils - scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly p... scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved