View Issue Details

IDProjectCategoryView StatusLast Update
0006504Rocky-Linux-9xzpublic2024-05-15 05:46
ReporterPierre Rouleau Assigned ToLouis Abel  
Status closedResolutionreopened 
Summary0006504: xz version 5.2.5 include in Rocky 9.3: affected by CVE-2020-22916
Descriptionxz library version 5.2.5, included in Rocky 9.3 is affected by a potential security issue. CVE-2020-22916
- Ref:

Steps To ReproduceTo see in shell:
  bash$ xz --version
  xz (XZ Utils) 5.2.5
  liblzma 5.2.5
Additional InformationThe CVE describes this as: An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file.


I am new to this community and its BT. I tried to search for CVE and I did not find it.
Please accept my apologies if this report is a duplicate.
TagsNo tags attached.


Louis Abel

Louis Abel

2024-05-05 04:19

administrator   ~0006898

Thank you for the report, and welcome to the community!

This vulnerability has been marked as "disputed" - which means, there is insufficient evidence to show that this vulnerability really exists. The upstream project has confirmed this as well.

Attempting to exploit this vulnerability does not lead to the results as reported.

[root@xmpp01 tmp]# unxz -c payload
    xIIIIIIIIIIIZunxz: payload: Compressed data is corrupt

Was this CVE reported by some sort of security/vulnerability scanner? If so, which scanner software was used?
Pierre Rouleau

Pierre Rouleau

2024-05-05 15:52

reporter   ~0006931

To answer the question on used scanner software: no, I did not use a specific scanner for this. I just happened to look at xz version and I was previously aware of the vulnerability report for it, was not aware that being disputed made it ok. I must be a little too cautious here. Sorry for the noise.

BTW, I did not find a way to add a note else than using the "Request Feedback on Issue" field.
Pierre Rouleau

Pierre Rouleau

2024-05-05 15:54

reporter   ~0006932

Sorry again, after refreshing the page the 'add note' field popped up.

Issue History

Date Modified Username Field Change
2024-05-04 13:08 Pierre Rouleau New Issue
2024-05-05 04:19 Louis Abel Assigned To => Louis Abel
2024-05-05 04:19 Louis Abel Status new => resolved
2024-05-05 04:19 Louis Abel Resolution open => unable to reproduce
2024-05-05 04:19 Louis Abel Note Added: 0006898
2024-05-05 15:52 Pierre Rouleau Status resolved => feedback
2024-05-05 15:52 Pierre Rouleau Resolution unable to reproduce => reopened
2024-05-05 15:52 Pierre Rouleau Note Added: 0006931
2024-05-05 15:54 Pierre Rouleau Note Added: 0006932
2024-05-05 15:54 Pierre Rouleau Status feedback => assigned
2024-05-15 05:46 Louis Abel Status assigned => closed