Nixpkgs security tracker
XZ Utils: Buffer overflow in lzma_index_append()
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
References
-
https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv x_refsource_CONFIRM
-
https://github.com/tukaani-project/xz/releases/tag/v5.8.3 x_refsource_MISC
Affected products
- ==< 5.8.3
Matching in nixpkgs
pkgs.xz
General-purpose data compression software, successor of LZMA
pkgs.pxz
compression utility that runs LZMA compression of different parts on multiple cores simultaneously
-
nixos-unstable 4.999.9beta
- nixpkgs-unstable 4.999.9beta
- nixos-unstable-small 4.999.9beta
-
nixos-25.11 4.999.9beta
- nixos-25.11-small 4.999.9beta
- nixpkgs-25.11-darwin 4.999.9beta
pkgs.pixz
Parallel compressor/decompressor for xz format
pkgs.xzgv
Picture viewer for X with a thumbnail-based selector
pkgs.xzoom
X11 screen zoom tool
pkgs.haskellPackages.xz
LZMA/XZ compression and decompression
pkgs.matrix-zulip-bridge
Matrix puppeting appservice bridge for Zulip
pkgs.minimal-bootstrap.xz
General-purpose data compression software, successor of LZMA
pkgs.plymouth-proxzima-theme
Techno Plymouth theme with crazy animation
-
nixos-unstable 0-unstable-2023-01-30
- nixpkgs-unstable 0-unstable-2023-01-30
- nixos-unstable-small 0-unstable-2023-01-30
-
nixos-25.11 0-unstable-2023-01-30
- nixos-25.11-small 0-unstable-2023-01-30
- nixpkgs-25.11-darwin 0-unstable-2023-01-30
pkgs.python312Packages.txzmq
Twisted bindings for ZeroMQ
pkgs.python313Packages.txzmq
Twisted bindings for ZeroMQ
pkgs.python314Packages.txzmq
Twisted bindings for ZeroMQ
pkgs.tests.fetchgit.simple-tag
None
-
nixos-unstable 43xz9z3bd4hb
- nixpkgs-unstable 43xz9z3bd4hb
- nixos-unstable-small 43xz9z3bd4hb
pkgs.minimal-bootstrap.xz-static
General-purpose data compression software, successor of LZMA
pkgs.python312Packages.python-xz
Pure Python library for seeking within compressed xz files
pkgs.python313Packages.python-xz
Pure Python library for seeking within compressed xz files
pkgs.python314Packages.python-xz
Pure Python library for seeking within compressed xz files
pkgs.tests.fetchDebianPatch.simple
None
-
nixos-25.11 vpyr8ixzi0f7
- nixos-25.11-small vpyr8ixzi0f7
- nixpkgs-25.11-darwin vpyr8ixzi0f7
pkgs.tests.fetchpatch.fileWithSpace
None
-
nixos-unstable 11k71xzm9qsb
- nixpkgs-unstable 11k71xzm9qsb
- nixos-unstable-small 11k71xzm9qsb
-
nixos-25.11 xn4psbxzzrh5
- nixos-25.11-small xn4psbxzzrh5
- nixpkgs-25.11-darwin xn4psbxzzrh5
pkgs.tests.fetchPypiLegacy.fetchSimple
None
-
nixos-25.11 4p9ixznv8aay
- nixos-25.11-small 4p9ixznv8aay
- nixpkgs-25.11-darwin 4p9ixznv8aay
pkgs.typstPackages.exzellenz-tum-thesis
Customizable template for a thesis at the TU Munich
pkgs.tests.fetchgit.dumb-http-signed-tag
None
-
nixos-25.11 wy43snwyynxz
- nixos-25.11-small wy43snwyynxz
- nixpkgs-25.11-darwin wy43snwyynxz
pkgs.tests.fetchNextcloudApp.simple-sha512
None
-
nixos-25.11 xzdr7yzl80y3
- nixos-25.11-small xzdr7yzl80y3
- nixpkgs-25.11-darwin xzdr7yzl80y3
pkgs.typstPackages.exzellenz-tum-thesis_0_1_0
Customizable template for a thesis at the TU Munich
pkgs.typstPackages.exzellenz-tum-thesis_0_2_0
Customizable template for a thesis at the TU Munich
-
nixos-unstable m26ycvcxzf10
- nixpkgs-unstable m26ycvcxzf10
- nixos-unstable-small m26ycvcxzf10
pkgs.home-assistant-custom-components.localtuya
Home Assistant custom Integration for local handling of Tuya-based devices, fork from local-tuya
pkgs.tests.pkg-config.defaultPkgConfigPackages.liblzma
Test whether xz-5.8.1 exposes pkg-config modules liblzma
Package maintainers
-
@rhoriguchi Ryan Horiguchi <ryan.horiguchi@gmail.com>
-
@judgeNotFound Robert Richter <robert.richter@rrcomtech.com>
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@johnrtitor Masum Reza <masumrezarock100@gmail.com>
-
@ip1981 Igor Pashev <pashev.igor@gmail.com>
-
@mxmlnkn Maximilian Knespel
-
@svanderburg Sander van der Burg <s.vanderburg@tudelft.nl>
-
@cherrypiejam Gongqi Huang
-
@womfoo Kranium Gikos Mendoza <kranium@gikos.net>
-
@pyrox0 Pyrox <pyrox@pyrox.dev>
-
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
-
@06kellyjac Jack <hello+nixpkgs@j-k.io>
-
@Gskartwii Aleksi Hannula <ahannula4@gmail.com>
-
@Artturin Artturi N <artturin@artturin.com>
-
@emilytrau Emily Trau <emily+nix@downunderctf.com>
-
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
-
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
-
@RossSmyth Ross Smyth