CVE-2025-58058 (CNNVD-202508-3292)
中文标题:
xz 安全漏洞
英文标题:
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
漏洞描述
中文描述:
xz是一个应用软件。用于支持读取和写入xz压缩流。 xz 0.5.14之前版本存在安全漏洞,该漏洞源于LZMA编码字节流头部检测不足,可能导致内存消耗增加。
英文描述:
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| ulikunitz | xz | < 0.5.14 | - | - |
cpe:2.3:a:ulikunitz:xz:<_0.5.14:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-58058 |
2025-11-11 15:23:30 | 2025-11-11 07:40:45 |
| NVD | nvd_CVE-2025-58058 |
2025-11-11 15:01:01 | 2025-11-11 07:48:32 |
| CNNVD | cnnvd_CNNVD-202508-3292 |
2025-11-11 15:12:55 | 2025-11-11 08:00:07 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202508-3292
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']