Suggestions search

Untriaged

Filter by:

With package: python312Packages.python-xz

Found 2 matching suggestions

View:

Compact

Detailed

Permalink CVE-2026-34743

created 1 week, 4 days ago

XZ Utils: Buffer overflow in lzma_index_append()

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

References

https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv x_refsource_CONFIRM
https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87 x_refsource_MISC
https://github.com/tukaani-project/xz/releases/tag/v5.8.3 x_refsource_MISC
http://www.openwall.com/lists/oss-security/2026/03/31/13

Affected products

==< 5.8.3

Matching in nixpkgs

pkgs.xz

General-purpose data compression software, successor of LZMA

nixos-unstable 5.8.2
- nixpkgs-unstable 5.8.2
- nixos-unstable-small 5.8.2
nixos-25.11 5.8.1
- nixos-25.11-small 5.8.1
- nixpkgs-25.11-darwin 5.8.1

pkgs.pxz

compression utility that runs LZMA compression of different parts on multiple cores simultaneously

nixos-unstable 4.999.9beta
- nixpkgs-unstable 4.999.9beta
- nixos-unstable-small 4.999.9beta
nixos-25.11 4.999.9beta
- nixos-25.11-small 4.999.9beta
- nixpkgs-25.11-darwin 4.999.9beta

pkgs.pixz

Parallel compressor/decompressor for xz format

nixos-unstable 1.0.7
- nixpkgs-unstable 1.0.7
- nixos-unstable-small 1.0.7
nixos-25.11 1.0.7
- nixos-25.11-small 1.0.7
- nixpkgs-25.11-darwin 1.0.7

pkgs.xzgv

Picture viewer for X with a thumbnail-based selector

nixos-unstable 0.9.2
- nixpkgs-unstable 0.9.2
- nixos-unstable-small 0.9.2
nixos-25.11 0.9.2
- nixos-25.11-small 0.9.2
- nixpkgs-25.11-darwin 0.9.2

pkgs.xzoom

X11 screen zoom tool

nixos-unstable 0.3
- nixpkgs-unstable 0.3
- nixos-unstable-small 0.3
nixos-25.11 0.3
- nixos-25.11-small 0.3
- nixpkgs-25.11-darwin 0.3

pkgs.haskellPackages.xz

LZMA/XZ compression and decompression

nixos-unstable 5.6.3
- nixpkgs-unstable 5.6.3
- nixos-unstable-small 5.6.3

pkgs.matrix-zulip-bridge

Matrix puppeting appservice bridge for Zulip

nixos-unstable 0.4.1
- nixpkgs-unstable 0.4.1
- nixos-unstable-small 0.4.1
nixos-25.11 0.4.1
- nixos-25.11-small 0.4.1
- nixpkgs-25.11-darwin 0.4.1

pkgs.minimal-bootstrap.xz

General-purpose data compression software, successor of LZMA

nixos-unstable 5.4.7
- nixpkgs-unstable 5.4.7
- nixos-unstable-small 5.4.7

pkgs.plymouth-proxzima-theme

Techno Plymouth theme with crazy animation

nixos-unstable 0-unstable-2023-01-30
- nixpkgs-unstable 0-unstable-2023-01-30
- nixos-unstable-small 0-unstable-2023-01-30
nixos-25.11 0-unstable-2023-01-30
- nixos-25.11-small 0-unstable-2023-01-30
- nixpkgs-25.11-darwin 0-unstable-2023-01-30

pkgs.python312Packages.txzmq

Twisted bindings for ZeroMQ

nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

pkgs.python313Packages.txzmq

Twisted bindings for ZeroMQ

nixos-unstable 1.0.0
- nixpkgs-unstable 1.0.0
- nixos-unstable-small 1.0.0
nixos-25.11 1.0.0
- nixos-25.11-small 1.0.0
- nixpkgs-25.11-darwin 1.0.0

pkgs.python314Packages.txzmq

Twisted bindings for ZeroMQ

nixos-unstable 1.0.0
- nixpkgs-unstable 1.0.0
- nixos-unstable-small 1.0.0

pkgs.tests.fetchgit.simple-tag

None

nixos-unstable 43xz9z3bd4hb
- nixpkgs-unstable 43xz9z3bd4hb
- nixos-unstable-small 43xz9z3bd4hb

pkgs.minimal-bootstrap.xz-static

General-purpose data compression software, successor of LZMA

nixos-unstable 5.8.2
- nixpkgs-unstable 5.8.2
- nixos-unstable-small 5.8.2

pkgs.python312Packages.python-xz

Pure Python library for seeking within compressed xz files

nixos-25.11 0.5.0
- nixos-25.11-small 0.5.0
- nixpkgs-25.11-darwin 0.5.0

pkgs.python313Packages.python-xz

Pure Python library for seeking within compressed xz files

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0
nixos-25.11 0.5.0
- nixos-25.11-small 0.5.0
- nixpkgs-25.11-darwin 0.5.0

pkgs.python314Packages.python-xz

Pure Python library for seeking within compressed xz files

nixos-unstable 0.6.0
- nixpkgs-unstable 0.6.0
- nixos-unstable-small 0.6.0

pkgs.tests.fetchDebianPatch.simple

None

nixos-25.11 vpyr8ixzi0f7
- nixos-25.11-small vpyr8ixzi0f7
- nixpkgs-25.11-darwin vpyr8ixzi0f7

pkgs.tests.fetchpatch.fileWithSpace

None

nixos-unstable 11k71xzm9qsb
- nixpkgs-unstable 11k71xzm9qsb
- nixos-unstable-small 11k71xzm9qsb
nixos-25.11 xn4psbxzzrh5
- nixos-25.11-small xn4psbxzzrh5
- nixpkgs-25.11-darwin xn4psbxzzrh5

pkgs.tests.fetchPypiLegacy.fetchSimple

None

nixos-25.11 4p9ixznv8aay
- nixos-25.11-small 4p9ixznv8aay
- nixpkgs-25.11-darwin 4p9ixznv8aay

pkgs.typstPackages.exzellenz-tum-thesis

Customizable template for a thesis at the TU Munich

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.tests.fetchgit.dumb-http-signed-tag

None

nixos-25.11 wy43snwyynxz
- nixos-25.11-small wy43snwyynxz
- nixpkgs-25.11-darwin wy43snwyynxz

pkgs.tests.fetchNextcloudApp.simple-sha512

None

nixos-25.11 xzdr7yzl80y3
- nixos-25.11-small xzdr7yzl80y3
- nixpkgs-25.11-darwin xzdr7yzl80y3

pkgs.typstPackages.exzellenz-tum-thesis_0_1_0

Customizable template for a thesis at the TU Munich

nixos-unstable 0.1.0
- nixpkgs-unstable 0.1.0
- nixos-unstable-small 0.1.0
nixos-25.11 0.1.0
- nixos-25.11-small 0.1.0
- nixpkgs-25.11-darwin 0.1.0

pkgs.typstPackages.exzellenz-tum-thesis_0_2_0

Customizable template for a thesis at the TU Munich

nixos-unstable 0.2.0
- nixpkgs-unstable 0.2.0
- nixos-unstable-small 0.2.0

pkgs.tests.prefer-remote-fetch.fetchFromGitHub

None

nixos-unstable m26ycvcxzf10
- nixpkgs-unstable m26ycvcxzf10
- nixos-unstable-small m26ycvcxzf10

pkgs.home-assistant-custom-components.localtuya

Home Assistant custom Integration for local handling of Tuya-based devices, fork from local-tuya

nixos-unstable 2025.11.0
- nixpkgs-unstable 2025.11.0
- nixos-unstable-small 2025.11.0
nixos-25.11 2025.11.0
- nixos-25.11-small 2025.11.0
- nixpkgs-25.11-darwin 2025.11.0

pkgs.tests.pkg-config.defaultPkgConfigPackages.liblzma

Test whether xz-5.8.1 exposes pkg-config modules liblzma

nixos-unstable -
- nixpkgs-unstable
- nixos-unstable-small
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

Package maintainers

@rhoriguchi Ryan Horiguchi <ryan.horiguchi@gmail.com>
@judgeNotFound Robert Richter <robert.richter@rrcomtech.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
@ip1981 Igor Pashev <pashev.igor@gmail.com>
@mxmlnkn Maximilian Knespel
@svanderburg Sander van der Burg <s.vanderburg@tudelft.nl>
@cherrypiejam Gongqi Huang
@womfoo Kranium Gikos Mendoza <kranium@gikos.net>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@Gskartwii Aleksi Hannula <ahannula4@gmail.com>
@Artturin Artturi N <artturin@artturin.com>
@emilytrau Emily Trau <emily+nix@downunderctf.com>
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
@RossSmyth Ross Smyth

Permalink CVE-2024-3094

10.0 CRITICAL

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 year, 2 months ago

Xz: malicious code in distributed source

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.