Alerts This Week
Warning Icon 1 714
Alerts This Week
Warning Icon 1 714

Fedora 40: FEDORA-2025-4871b31998 critical: xz heap-use-after-free

fedora
Calendar Grey May 10, 2025
Dist Fedora Esm H88
The xz 5.8.1 update on Fedora 40 addresses a critical heap-use-after-free vulnerability found in the secure compression tool.
xz 5.8.1

Summary

XZ Utils are an attempt to make LZMA compression easy to use on free (as in

freedom) operating systems. This is achieved by providing tools and libraries

which are similar to use than the equivalents of the most popular existing

compression algorithms.

LZMA is a general purpose compression algorithm designed by Igor Pavlov as

part of 7-Zip. It provides high compression ratio while keeping the

decompression speed fast.

Update Information:

xz 5.8.1

Topics%20covered

Topics Covered

security advisory update Fedora heap-use-after-free compression utility xz

Change Log

* Thu Apr 24 2025 Adam Williamson - 1:5.8.1-2 - Rebuild without changes to fix gating problem * Thu Apr 3 2025 Richard W.M. Jones - 1:5.8.1-1 - New upstream version 5.8.1 - Fixes CVE-2025-31115 heap-use-after-free bug in threaded .xz decoder * Wed Mar 26 2025 Jakub Martisko - 1:5.8.0-1 - New upstream version 5.8.0 Resolves: rhbz#2341818 * Sun Jan 19 2025 Fedora Release Engineering - 1:5.6.3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild * Fri Oct 11 2024 Richard W.M. Jones - 1:5.6.3-2 - perl-Compress-Raw-Lzma dep has been removed, rebuild https://src.fedoraproject.org/rpms/perl-Compress-Raw-Lzma/pull-request/3 * Wed Oct 2 2024 Richard W.M. Jones - 1:5.6.3-1 - New upstream version 5.6.3 (RHBZ#2316069) * Thu Aug 8 2024 Lukáš Zaoral - 1:5.6.2-3 - fix licenses and finish SPDX license conversion * Sat Jul 20 2024 Fedora Release Engineering - 1:5.6.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild * Thu Jun 20 2024 Richard W.M. Jones - 1:5.6.2-1 - New upstream version 5.6.2 (RHBZ#2283854) - Remove "Jia Tan" pubkey, replace with Lasse Collin's.

References


[ 1 ] Bug #2357251 - CVE-2025-31115 xz: XZ has a heap-use-after-free bug in threaded .xz decoder [fedora-40] https://bugzilla.redhat.com/show_bug.cgi?id=2357251

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-4871b31998' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: xz
Product: Fedora 40
Version: 5.8.1
Release: 2.fc40
URL: https://tukaani.org/xz/
Summary: LZMA compression utilities

Topics%20covered

Topics Covered

security advisory update Fedora heap-use-after-free compression utility xz

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here