Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN349
_____________________________________________________________________

DATE                : 01/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running XZ Utils versions prior
                            to 5.8.3.

=====================================================================
https://tukaani.org/xz/index-append-overflow.html
_____________________________________________________________________



CVE-2026-34743: Buffer overflow in lzma_index_append()
2026-03-31

In XZ Utils 5.8.2 and older, if lzma_index_decoder() was used to decode
an Index that contained no Records, the resulting lzma_index was left
in a state where where a subsequent lzma_index_append() would allocate
too little memory, and a buffer overflow would occur (CVE-2026-34743).

The lzma_index functions are rarely used by applications directly. In
the few applications that do use these functions, the combination of
function calls required to trigger this bug are unlikely to exist,
because there typically is no reason to append Records to a decoded
lzma_index. Thus, it’s likely that this bug cannot be triggered in
any real-world application.

The bug was fixed in XZ Utils 5.8.3. The fix is also in the Git
repository branches master, v5.8, v5.6, v5.4, and v5.2.


Credits

The bug was reported and discovered by Cantina using their AppSec
agent, Apex.

Thanks to Sam James for general help.


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================