diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest index d7fa5a6d36..3bcf223499 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 596819 BLAKE2B 63522f06337573996c66aa3c0b81ef535020898b18e1885eee805fd1835f056debd8871c1b871e9129a2cfd9138cdf6cb96404b2859059f0e8906b7e44fbcee9 SHA512 87fcb2c073963a66ce8ec1e356d102364b832e77939304f57faeeda9b592eab9192b225eb977ad168b619ca3b7f0da1061763084ff671cea0d6a094c478551f0 -TIMESTAMP 2025-04-01T06:10:43Z +MANIFEST Manifest.files.gz 596980 BLAKE2B eddb25532154bba44bb35623eb68543626c56c08b4a9b70673d678e12e2e9d223dee9cf4d0203ab7966bfde59e62bbac75b407365fffaffd689f74499226bdef SHA512 63607f6c6d89e0de89c2ed0d49a183cf3ebf144547b6b6c3a675072d222d42a76895e60d6f7b099c2762d742420925f50f5f0705f64f212c92b5228a8c6aac91 +TIMESTAMP 2025-05-01T06:40:34Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmfrg2NfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmgTF2JfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klA/uw/+IQmu9DSSDbsEjnWyooGUNr+aXX5NjlQX2+8c7AWpFugIUJCqiHFXyM1Q -oXe76kt/DK8I8za/2ouhAzauiSib4J1fdTxk+vzQS99EH+ocerbDWS5Twxb/7p7V -/6n4YdRN1wIQUOScvCDui/o6hqXOFk9LdGXBaDr388USilca08DSx0kK1aK/UFX6 -ZVGltml3Qax5PgbFdYAD68tS2KKDYCwtCouUMQ0kG96P+EQfgWdH3FDZ9DZ3GbYs -q7Q6Bj77vRKY5PFAQTlePRSsp1hpCsfeZESi3dTdgagiG5BRaOhGoMzkbnzSNXlu -xRu713wcSFXTNgpZvXP08tb2HudB4bpvo7FT7pDhmJq2CmVqdoNenaiU5ewb3yKp -I2YH/BqDKuYpFOOd/KfjRt6X+YtMM33KwMa3erWxk+G9ObTEV/iugleawiVPXBrr -kN2OJCgt+Gz0oXdx3ieWvql95X7UDxGyYNvrZsOcVPct2MGRtsyjLS5Dbz00Viea -huQ0t4CU6eJ093g88vKDfmMwTP7ViRX1z4447iAonb90tucRnGy+0WAWYmHq2uWQ -rzLSlxBFxtsxxzRYXvb11V/MD7lxE968IYx1pB/n12vl7CoIVL+wfrDWYWZB/Vv5 -oS1SxZa7EBMHE0i35PhMeE1SMKMQFDKvwShtLW4cK4rz7D/G1NM= -=m/Wp +klDRMQ/+PAi2qYoR0sip4LFgbYOupfpmsR8tU5KJ1/74lCyKWzBeJXLv6ZpzzUfQ +/zdiT7LTQTI/S+rLzGZ9iuru+SDj+TmSaqqe3/V47EMXrIUMQmi2/wpv4Xdz6SZv +vaIEnBvxy7AcER2kd3SjuP7oqh49lY3M8lSxGzDcyLuKLMtA0GruuXoOHK8Kc32p +e4MTmHiysNkwQ48mxpogteDz6UzMDz69H+RidhBJLcXj+VNi69jmLFUUWJ0WlINK +BScxduFU4NdYew2iDUFohVSAvLshHnpWUg/S6WlJo1Kf7XSjROBnuNxbrHrRfBRh +m4mx1fdXE73jM7QOpyx+BflrOEBmvrsGC2WJpI+YU5HmhRldkq9I1+amcPJEx/WD +8lTul44UWczfeDxOjVSwQ4Ez0a3YzGxtvo/6aT/P/8u6lxZwXC73F4vPe9B/qQDn +tCVkS4kDfMQf3zUlypFo3ny6eF54AcWzaT6XDIYVYJD1aSMXXqHhoffznAFB9Tjd +gmYAjCPk/6Oi7WPKEg+TryBnQLv9GEL7TRpQDAAMf0vc8OXwsJbEfS1HO8msMjA7 ++q4SVTPh7y9uKR62hu9MLuEXBxm3w4fS+U8e+62SVPIqwFsa5Q92Sh98AOPjK9yY +ViFNSQ0SCOaoWbmk9YFaC7JywXnlIXpD7si1W5a4hQ9aIF+qLqs= +=4GyX -----END PGP SIGNATURE----- diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz index 3253252d39..174f96b7d2 100644 Binary files a/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz and b/sdk_container/src/third_party/portage-stable/metadata/glsa/Manifest.files.gz differ diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202504-01.xml b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202504-01.xml new file mode 100644 index 0000000000..1e80046976 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/glsa-202504-01.xml @@ -0,0 +1,44 @@ + + + + XZ Utils: Use after free + A vulnerability has been discovered in XZ Utils, which could lead to denial of service. + xz-utils + 2025-04-05 + 2025-04-05 + 953086 + remote + + + 5.6.4-r1 + 5.6.4-r1 + + + +

XZ Utils is free general-purpose data compression software with a high compression ratio.

+ + +

A use-after-free has been discovered in XZ utils. Please review the CVE identifier referenced below for details.

+ + +

The multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. + +It's unlikely one can achieve more than a crash if xz is built with PIE on a 64-bit system especially, as is done in Gentoo by default.

+ + +

There is no known workaround at this time.

+ + +

All XZ utils users should upgrade to the latest version:

+ + + # emerge --sync + # emerge --ask --oneshot --verbose ">=app-arch/xz-utils-5.6.4-r1" + + + + CVE-2025-31115 + + sam + sam + \ No newline at end of file diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk index f75a4e36bb..66c0857d6d 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.chk @@ -1 +1 @@ -Tue, 01 Apr 2025 06:10:40 +0000 +Thu, 01 May 2025 06:40:32 +0000 diff --git a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit index ad34d21cfe..d4c903585d 100644 --- a/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit +++ b/sdk_container/src/third_party/portage-stable/metadata/glsa/timestamp.commit @@ -1 +1 @@ -8c44a0fc9958fea4290f5cca3cda73137cf7786a 1743192053 2025-03-28T20:00:53Z +da2df533a0a1b5799029686bc64ece18ac31947e 1743813771 2025-04-05T00:42:51Z