This update for lrzip fixes the following issues:
Changes in lrzip:
- Update to version 0.660:
* Do not clean up thread structures in decompression failure
conditions, fixing a use-after-free in lzma_decompress_buf() and a
NULL pointer dereference in ucompthread() on corrupt/malicious
archives (CVE-2025-15570, boo#1258016; CVE-2025-15571, boo#1258023)
* Handle -L given without a parameter, fixing a NULL pointer
dereference (CVE-2025-9396, boo#1248598)
* Add write bounds checking in libzpaq and sanity checks for
maliciously encoded headers and oversized allocations
* Various STDIO, portability and build fixes (OpenBSD support,
non-x86 zpaq, autoconf warnings); drop Doxygen doc build
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch...
Read the Full Advisory- openSUSE Leap 16.0:
lrzip-0.660-bp160.1.1
* bsc#1248598
* bsc#1258016
* bsc#1258023
References:
* https://www.suse.com/security/cve/CVE-2025-15570.html
* https://www.suse.com/security/cve/CVE-2025-15571.html
* https://www.suse.com/security/cve/CVE-2025-9396.html
Get the latest Linux and open source security news straight to your inbox.