xz
| Link | package | bugs open | bugs closed | Wiki | GitHub | web search |
| Description | Library and command line tools for XZ and LZMA compressed files |
| Version | 5.6.3-1 [core] |
Resolved
| Group | Affected | Fixed | Severity | Status | Ticket |
|---|---|---|---|---|---|
| AVG-2851 | 5.6.0-1 | 5.6.1-2 | Critical | Fixed | |
| AVG-2665 | 5.2.5-2 | 5.2.5-3 | High | Fixed |
| Issue | Group | Severity | Remote | Type | Description |
|---|---|---|---|---|---|
| CVE-2024-3094 | AVG-2851 | Critical | Yes | Authentication bypass | Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained... |
| CVE-2022-1271 | AVG-2665 | High | No | Arbitrary command execution | Malicious filenames with two or more newlines can make zgrep and xzgrep to write to arbitrary files or (with a GNU sed extension) lead to arbitrary code... |
Advisories
| Date | Advisory | Group | Severity | Type |
|---|---|---|---|---|
| 29 Mar 2024 | ASA-202403-1 | AVG-2851 | Critical | arbitrary code execution |
| 07 Apr 2022 | ASA-202204-8 | AVG-2665 | High | arbitrary command execution |