Headline
CVE-2020-22916: XZ Utils
An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of crafted file.
XZ Utils is free general-purpose data compression software with a high compression ratio. XZ Utils were written for POSIX-like systems, but also work on some not-so-POSIX systems. XZ Utils are the successor to LZMA Utils.
The core of the XZ Utils compression code is based on LZMA SDK, but it has been modified quite a lot to be suitable for XZ Utils. The primary compression algorithm is currently LZMA2, which is used inside the .xz container format. With typical files, XZ Utils create 30 % smaller output than gzip and 15 % smaller output than bzip2.
XZ Utils consist of several components:
- liblzma is a compression library with an API similar to that of zlib.
- xz is a command line tool with syntax similar to that of gzip.
- xzdec is a decompression-only tool smaller than the full-featured xz tool.
- A set of shell scripts (xzgrep, xzdiff, etc.) have been adapted from gzip to ease viewing, grepping, and comparing compressed files.
- Emulation of command line tools of LZMA Utils eases transition from LZMA Utils to XZ Utils.
While liblzma has a zlib-like API, liblzma doesn’t include any file I/O functions. A separate I/O library is planned, which would abstract handling of .gz, .bz2, and .xz files with an easy to use API.
Documentation
Man page with a keyword index: xz(1)
Doxygen-generated liblzma API documentation is also included in the source packages since XZ Utils 5.4.2.
Source code
Versions 5.2.12, 5.4.3, and later have been signed with Jia Tan’s OpenPGP key. The older files have been signed with Lasse Collin’s OpenPGP key.
See the NEWS file for a summary of changes between versions.
Stable
5.4.4 was released on 2023-08-02. A minor bug fix release 5.2.12 to the old stable branch was made on 2023-05-04. This is probably the last release in the 5.2.x series.
XZ Utils releases are hosted on GitHub and thus some of the links below redirect to the XZ Utils release section on GitHub. Release files are also available in the XZ Utils files section on Sourceforge.
xz-5.4.4.tar.gz (2808 KiB) signature
xz-5.4.4.tar.bz2 (2116 KiB) signature
xz-5.4.4.tar.zst (1680 KiB) signature
xz-5.4.4.tar.xz (1623 KiB) signature
Probably the last release of the old stable branch:
xz-5.2.12.tar.gz (2140 KiB) signature
xz-5.2.12.tar.bz2 (1593 KiB) signature
xz-5.2.12.tar.zst (1317 KiB) signature
xz-5.2.12.tar.xz (1275 KiB) signature
Development
The new APIs, command line options etc. in development releases should be considered unstable. Incompatible changes to unstable features may be done before they get included in a stable release.
There currently are no development releases.
Old versions
Source and binary packages of old XZ Utils releases are available on a separate page.
Git repository
The primary repository is on GitHub:
git clone https://github.com/tukaani-project/xz
It is mirrored with some delay to git.tukaani.org:
git clone https://git.tukaani.org/xz.git
Gitweb
Branches:
- master: the latest development code
- v5.4: fixes for the next 5.4.x release
- v5.2: fixes for the next 5.2.x release
- v5.0: fixes for the next 5.0.x release (unmaintained)
Building the code from the git repository requires GNU Autotools. Here are the minimum versions that should work with XZ Utils; using the latest versions is strongly recommended:
- Autoconf 2.69
- Automake 1.12
- gettext 0.19.6 (Note: autopoint depends on cvs!)
- Libtool 2.4
The following are optional dependencies. The autogen.sh script will fail if they are missing but autogen.sh takes command line arguments to disable these dependencies.
- po4a is needed for translated documentation (man pages). To build without po4a, use --no-po4a with autogen.sh.
- Doxygen is needed to generate liblzma API documentation. To build without Doxygen, use --no-doxygen with autogen.sh.
Security issues****xzgrep CVE-2022-1271, ZDI-CAN-16587
A patch to fix a security vulnerability in xzgrep (CVE-2022-1271, ZDI-CAN-16587) was made public on 2022-04-07. The patch applies to 4.999.9beta to 5.2.5, 5.3.1alpha, and 5.3.2alpha. Newer XZ Utils releases include an improved fix for the problem.
It is a severe issue if an attacker can control the filenames that are given on the xzgrep command line. The vulnerability was discovered by cleemy desu wayo working with Trend Micro Zero Day Initiative. For more information, see the detailed description in the patch file linked below.
xzgrep-ZDI-CAN-16587.patch
xzgrep-ZDI-CAN-16587.patch.sig
Bindings****Python
Python 3.3 includes bindings for liblzma. A backport of these bindings are available for Python 2 in the backports.lzma package.
lzmaffi is another Python binding which adds random-access decompression support.
The original Python 2 binding for liblzma is PylibLZMA.
Perl
Perl bindings for liblzma: IO-Compress-Lzma and Compress-Raw-Lzma.
Haskell
Haskell bindings.
Delphi and Free Pascal
Bindings and example programs for Delphi and Free Pascal are available here.
Pre-built binaries
Many free software operating systems already provide easy-to-install XZ Utils binaries. It doesn’t make sense to provide links to all those here. Instead, binaries or links to websites providing binaries are listed here only for operating systems that don’t have well-known repositories where users would get software like this.
If you have a website that provides up-to-date XZ Utils binaries for an operating system that meets the the criteria above, let me know and I will include a link here. Note that I won’t host the binaries themselves without a good reason.
Windows
The Windows version of XZ Utils includes binaries for 32-bit and 64-bit x86. The binaries only depend on msvcrt.dll, which is available on Windows 98 and later out of the box.
- Command line tools: xz, xzdec, lzmadec, lzmainfo
- Shared (DLL) and static liblzma, required C header files, and liblzma.def to create import libraries for non-GNU toolchains (no import library is needed with GNU toolchain)
- Documentation is in plain text (UTF-8) format. The man pages of the command line tools are included also as PDF.
5.2.10, 5.2.11, or 5.2.12 do not have anything significant for Windows so only 5.2.9 is here. 5.4.x builds are not provided for now.
xz-5.2.9-windows.zip (1473 KiB) signature
xz-5.2.9-windows.7z (708 KiB) signature
DOS
The DOS version of XZ Utils includes only the xz command line tool and some documentation. The xz tool should work e.g. on FreeDOS (also in DOSEMU), MS-DOS, and Windows 95/98/98SE/ME. This doesn’t necessarily work in DOSBox at all, and at least some problems are expected under Windows XP Command Prompt (signal handling doesn’t work).
Since the DOS version is naturally going to get very little testing, it is recommended to use the Windows version instead of the DOS version if you need xz under Windows 98 or later. It is likely that that the DOS version will be updated only occasionally.
5.2.0 and later have experimental support for 8.3 filenames. See xz-dos.txt in the binary package or dos/README.txt in the source package for details.
xz-5.4.0-dos.zip (277 KiB) signature
The package includes some copylefted code from DJGPP and CWSDPMI. The relevant source code is available from their home pages, and copies are also available below.
djlsr205.zip (2000 KiB)
djtst205.zip (1061 KiB)
csdpmi7s.zip (88 KiB)
Juan Manuel Guerrero has made a more complete port of XZ Utils to DOS. It also has support for short file names (8.3), but the naming method is different from the one found in 5.2.0 and later. It is available from DJGPP mirrors under /current/v2apps (e.g. xz-500b.zip for 5.0.0 binaries).
Supported platforms
Below is an incomplete and somewhat vague (version numbers mostly missing) list of operating systems on which XZ Utils should work. The compiler(s) or toolchains are mentioned in parenthesis. GCC refers to GCC 3 or later. If you have additions or corrections, please email them to me.
- GNU/Linux (GCC, Clang, ICC, IBM XL C)
- GNU/HURD (GCC)
- DragonflyBSD (GCC)
- FreeBSD (GCC, Clang)
- MirBSD (GCC)
- NetBSD (GCC)
- OpenBSD (Clang, GCC)
- MINIX 3 (GCC) [1]
- Haiku (GCC4)
- Mac OS X (GCC)
- Solaris 8, 9, 10, 11 (GCC, Sun Studio) [3]
- Solaris 2.6, 7 (GCC)
- HP-UX (GCC, HP ANSI C) [2]
- Tru64 (GCC, Compaq C compiler) [1]
- IRIX (MIPSpro) [1]
- AIX (GCC, IBM XL C)
- z/OS (IBM XL C)
- QNX (compilers?)
- OpenVMS (HP C compiler) [1]
- OpenVOS 17 (GCC)
- SCO OpenServer 5.0.7 (GCC 3.4.6, 4.2.4) [4]
- Windows 95 and later (GCC/MinGW, GCC/MinGW-w64, GCC/Cygwin, GCC/Interix, Visual Studio (VS can only build liblzma)) [1]
- OS/2, eComStation (GCC)
- DOS e.g. FreeDOS and MS-DOS (GCC/DJGPP) [1]
[1] See also the platform-specific notes in the INSTALL file.
[2] 2010-09-22: HP ANSI C compiler crashes when compiling XZ Utils on PA-RISC. On Itanium there are no problems.
[3] On Solaris 8 and 9 one may need to pass ac_cv_prog_cc_c99= to configure if using Sun Studio.
[4] Use --disable-threads when running configure.
Licensing
The most interesting parts of XZ Utils (e.g. liblzma) are in the public domain. You can do whatever you want with the public domain parts.
Some parts of XZ Utils (e.g. build system and some utilities) are under different free software licenses such as GNU LGPLv2.1, GNU GPLv2, or GNU GPLv3.
See the file COPYING for more details.
Related news
Red Hat OpenShift Virtualization release 4.8.7 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1798: kubeVirt: Arbitrary file read on the host from KubeVirt VMs
Red Hat OpenShift Virtualization release 4.9.6 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1798: kubeVirt: Arbitrary file read on the host from KubeVirt VMs
Gentoo Linux Security Advisory 202209-1 - A vulnerability has been discovered in GNU Gzip and XZ Utils' grep helpers which could result in writes to arbitrary files. Versions less than 1.12 are affected.
Red Hat OpenShift Container Platform release 3.11.784 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-39226: grafana: Snapshot authentication bypass
Openshift Logging Bug Fix Release (5.2.13) Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-38561: golang: out-of-bounds read in golang.org/x/text/language leads to DoS
Red Hat Security Advisory 2022-5192-01 - Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Issues addressed include a cross site scripting vulnerability.
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug and security fixes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1902: stackrox: Improper sanitization allows users to retrieve Notifier secrets from GraphQL API in plaintext
The Migration Toolkit for Containers (MTC) 1.6.5 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2021-39293: golang: archive/zip: malformed archive may cause panic or memory exhaustion (incomplete fix of CVE-2021-33196)
Red Hat OpenShift Container Platform release 3.11.705 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1677: openshift/router: route hijacking attack via crafted HAProxy configuration file
Red Hat Security Advisory 2022-2265-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.58.