Preparation of release v0.5.14

ulikunitz · ulikunitz · commit 7184815834c4 · 2025-08-28T20:38:17.000+02:00
The commit includes preparations for the release v0.5.14 including go
fmt, release notes and updates to TODO.md.
diff --git a/TODO.md b/TODO.md
@@ -1,14 +1,5 @@
 # TODO list
 
-## Release v0.5.14
-
-* If the DictionarySize is larger than the UncompressedSize set it to
-  UncompressedSize
-* make a Header() (h Header, ok bool) function so the user can implement its own
-  policy
-* Add documentation to Reader to explain the situation
-* Add a TODO for the rewrite version
-
 ## Release v0.6
 
 1. Review encoder and check for lzma improvements under xz.
@@ -91,6 +82,13 @@
 
 ## Log
 
+## 2025-08-28
+
+Release v0.5.14 addresses the security vulnerability CVE-2025-58058. If you put
+bytes in from of a LZMA stream, the header might not be read correctly and
+memory for the dictionary buffer allocated. I have implemented mitigations for
+the problem.
+
 ### 2025-08-20
 
 Release v0.5.13 addressed issue #61 regarding handling of multiple WriteClosers
diff --git a/doc/relnotes/release-v0.5.14.md b/doc/relnotes/release-v0.5.14.md
@@ -0,0 +1,5 @@
+# Release Notes v0.5.14
+
+This release addresses security vulnerability CVE-2025-58058. It implements a
+number of mitigation for a resource leak problem. It needs to only to be updated
+if lzma.NewWriter is used.
diff --git a/lzma/reader.go b/lzma/reader.go
@@ -19,7 +19,7 @@ import (
 // ReaderConfig stores the parameters for the reader of the classic LZMA
 // format.
 type ReaderConfig struct {
-	// Since v0.5.14 this parameter sets an upper limit for a .lzma file's 
+	// Since v0.5.14 this parameter sets an upper limit for a .lzma file's
 	// dictionary size. This helps to mitigate problems with mangled
 	// headers.
 	DictCap int
diff --git a/lzma/reader_test.go b/lzma/reader_test.go
@@ -377,7 +377,7 @@ func TestZeroPrefixIssue(t *testing.T) {
 			}
 			h, ok := l.Header()
 			t.Logf("Header %+v ok %v", h, ok)
-			actualDictSize := len(l.d.Dict.buf.data)-1
+			actualDictSize := len(l.d.Dict.buf.data) - 1
 			t.Logf("Actual dictionary size: %d", actualDictSize)
 			if actualDictSize > MinDictCap && h.Size >= 0 &&
 				h.Size < int64(actualDictSize) {
diff --git a/lzma/writer.go b/lzma/writer.go
@@ -13,7 +13,7 @@ import (
 // MinDictCap and MaxDictCap provide the range of supported dictionary
 // capacities.
 const (
-	MinDictCap  = 1 << 12
+	MinDictCap = 1 << 12
 	MaxDictCap = 1<<32 - 1
 )
 

Original file line number	Diff line number	Diff line change
`@@ -377,7 +377,7 @@ func TestZeroPrefixIssue(t *testing.T) {`
`377`	`377`	`}`
`378`	`378`	`h, ok := l.Header()`
`379`	`379`	`t.Logf("Header %+v ok %v", h, ok)`
`380`		`- actualDictSize := len(l.d.Dict.buf.data)-1`
	`380`	`+ actualDictSize := len(l.d.Dict.buf.data) - 1`
`381`	`381`	`t.Logf("Actual dictionary size: %d", actualDictSize)`
`382`	`382`	`if actualDictSize > MinDictCap && h.Size >= 0 &&`
`383`	`383`	`h.Size < int64(actualDictSize) {`
Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ import (`
`13`	`13`	`// MinDictCap and MaxDictCap provide the range of supported dictionary`
`14`	`14`	`// capacities.`
`15`	`15`	`const (`
`16`		`- MinDictCap = 1 << 12`
	`16`	`+ MinDictCap = 1 << 12`
`17`	`17`	`MaxDictCap = 1<<32 - 1`
`18`	`18`	`)`
`19`	`19`