34164 – xz new security issue CVE-2025-31115

Bug 34164 - xz new security issue CVE-2025-31115

Summary: xz new security issue CVE-2025-31115

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-04-04 08:17 CEST by Nicolas Salguero
Modified:	2025-04-10 02:23 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	xz-5.4.3-1.mga9.src.rpm
CVE:	CVE-2025-31115
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-04-04 08:17:36 CEST

CVE-2025-31115 was announced here:
https://www.openwall.com/lists/oss-security/2025/04/03/1

Nicolas Salguero 2025-04-04 08:19:31 CEST

Status comment: (none) => Fixed upstream in 5.8.1 and patches available from upstream
CVE: (none) => CVE-2025-31115
Source RPM: (none) => xz-5.6.3-1.mga10.src.rpm, xz-5.4.3-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2025-04-04 08:31:16 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

XZ has a heap-use-after-free bug in threaded .xz decoder. (CVE-2025-31115)

References:
https://www.openwall.com/lists/oss-security/2025/04/03/1
========================

Updated packages in core/updates_testing:
========================
lib(64)lzma5-5.4.3-1.1.mga9
lib(64)lzma-devel-5.4.3-1.1.mga9
xz-5.4.3-1.1.mga9

from SRPM:
xz-5.4.3-1.1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 5.8.1 and patches available from upstream => (none)
Source RPM: xz-5.6.3-1.mga10.src.rpm, xz-5.4.3-1.mga9.src.rpm => xz-5.4.3-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 2 katnatek 2025-04-05 03:42:31 CEST

RH x86_64

installing lib64lzma-devel-5.4.3-1.1.mga9.x86_64.rpm xz-5.4.3-1.1.mga9.x86_64.rpm lib64lzma5-5.4.3-1.1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: lib64lzma5            ##################################################################################################
      2/3: lib64lzma-devel       ##################################################################################################
      3/3: xz                    ##################################################################################################
      1/3: removing lib64lzma-devel-5.4.3-1.mga9.x86_64
                                 ##################################################################################################
      2/3: removing xz-5.4.3-1.mga9.x86_64
                                 ##################################################################################################
      3/3: removing lib64lzma5-5.4.3-1.mga9.x86_64
                                 ##################################################################################################

compress a video with xz
extract the .xz with xz -d 
It works

Comment 3 Herman Viaene 2025-04-05 16:26:46 CEST

MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 30261 Comment 7
$ xz arsmusica1.avi 
During the operation:
$ ls -als  a*
1014828 -rw------- 1 tester9 tester9 1039212544 Apr  5 16:17 arsmusica1.avi
 139436 -rw-rw-r-- 1 tester9 tester9  142777888 Jan  4  2011 arsmusica1.avi.xz
Finally
$ ls -als a*
139436 -rw-rw-r-- 1 tester9 tester9 142777888 Jan  4  2011 arsmusica1.avi.xz
[tester9@mach3 Videos]$ xz -d arsmusica1.avi.xz 
After decompression
$ ls -als  a*
4396588 -rw-rw-r-- 1 tester9 tester9 4502133916 Jan  4  2011 arsmusica1.avi
And resulting file plays OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2025-04-05 19:55:14 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 katnatek 2025-04-06 05:03:05 CEST

Used to extract and create sources for packaging without issues

Keywords: (none) => advisory

Comment 6 Mageia Robot 2025-04-10 02:23:56 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0131.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.