Highlights
Integer Overflow: 4 prior fixes. Scrutinize any change in this area.
src/xz/file_io.c: most-fixed (6 issues). Treat as high-risk during review.
11 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Malicious Backdoor: A sophisticated backdoor (CVE-2024-3094) was injected into test files as binary payloads, highlighting critical supply chain risks where binary test files can hide arbitrary payload execution blocks. Developers must strictly audit and prohibit opaque binary blobs in test suites.
Command Injection: Shell scripts that use 'eval' or escape arguments are prone to command injection via filenames containing newlines or invalid multibyte sequences on systems with non-GNU utilities. Forcing a predictable LC_ALL=C locale and robust escaping is mandatory to mitigate this.
Buffer Overflow: Complex dictionary compression and state tracking in encoders/decoders are prone to heap and static buffer overflows when handling edge-case sizes or temporary buffers during compression states.