2391585 – (CVE-2025-58058) CVE-2025-58058 github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory

Bug 2391585 (CVE-2025-58058) - CVE-2025-58058 github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory

Summary: CVE-2025-58058 github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory

Keywords:
Status:	NEW
Alias:	CVE-2025-58058
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2391603 2391604 2391612 2391616 2391618 2391619 2391620 2391622 2391623 2391624 2391625 2391626 2391628 2391629 2391630 2391631 2391632 2391633 2391634 2391635 2391636 2391642 2391643 2391644 2391647 2391648 2391651 2391652 2391653 2391654 2391655 2391656 2391659 2391660 2391661 2391662 2391663 2391664 2391665 2391666 2391667 2391668 2391674 2391675 2391600 2391601 2391602 2391605 2391606 2391607 2391608 2391609 2391610 2391611 2391613 2391614 2391615 2391617 2391621 2391627 2391637 2391638 2391639 2391640 2391641 2391645 2391646 2391649 2391650 2391657 2391658 2391669 2391670 2391671 2391672 2391673 2391676
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-28 22:01 UTC by OSIDB Bzimport
Modified:	2025-08-29 16:45 UTC (History)
CC List:	108 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-28 22:01:09 UTC

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
adudiak
agarcial
alcohan
anjoseph
anpicker
aoconnor
aprice
asatyam
asegurap
bbrownin
bdettelb
bkabrda
bparees
brainfor
dbosanac
dfreiber
dhanak
diagrawa
doconnor
drosa
drow
dsimansk
dymurray
eglynn
fdeutsch
gparvin
hasun
ibolton
jburrell
jcantril
jchui
jfula
jhe
jjoyce
jkoehler
jmatthew
jmontleo
jowilson
jprabhak
jreimann
jsamir
jschluet
jsherril
jwendell
kaycoth
kingland
kshier
ktsao
kverlaen
lball
ldai
lgamliel
lhh
ljawale
lphiri
lsharar
lsvaty
lucarval
luizcosta
manissin
matzew
mburns
mdessi
mgarciac
mnovotny
mrizzi
nboldt
ngough
njean
nweather
nyancey
oezr
ometelka
oramraz
owatkins
pahickey
pakotvan
pcattana
pgaikwad
pgrist
psrna
ptisnovs
rbobbitt
rcernich
rfreiman
rhaigner
rjohnson
rojacob
sabiswas
sakbas
sausingh
sdawley
slucidi
smullick
sseago
stcannon
sthirugn
stirabos
syedriko
teagle
thason
veshanka
vkumar
whayutin
wtam
xdharmai
yguenane