Download Latest Version
xz-5.8.3-windows.7z (669.2 kB)
Get an email when there's a new version of XZ Utils
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| xz-5.8.3.tar.sig | 2026-03-31 | 566 Bytes | |
| xz-5.8.3-windows.7z.sig | 2026-03-31 | 566 Bytes | |
| xz-5.8.3-windows.7z | 2026-03-31 | 669.2 kB | |
| xz-5.8.3-windows.zip.sig | 2026-03-31 | 566 Bytes | |
| xz-5.8.3-windows.zip | 2026-03-31 | 1.1 MB | |
| xz-5.8.3.tar.xz.sig | 2026-03-31 | 566 Bytes | |
| xz-5.8.3.tar.bz2.sig | 2026-03-31 | 566 Bytes | |
| xz-5.8.3.tar.xz | 2026-03-31 | 1.5 MB | |
| xz-5.8.3.tar.bz2 | 2026-03-31 | 2.0 MB | |
| xz-5.8.3.tar.gz.sig | 2026-03-31 | 566 Bytes | |
| xz-5.8.3.tar.gz | 2026-03-31 | 2.8 MB | |
| README.md | 2026-03-31 | 2.4 kB | |
| XZ Utils 5.8.3 (stable) source code.tar.gz | 2026-03-31 | 1.7 MB | |
| XZ Utils 5.8.3 (stable) source code.zip | 2026-03-31 | 1.9 MB | |
| Totals: 14 Items | 11.7 MB | 3 | |
IMPORTANT: This includes a fix for CVE-2026-34743 which affects all XZ Utils versions since 5.0.0. No new 5.2.x, 5.4.x, or 5.6.x releases will be made, but the fix is in the v5.2, v5.4, and v5.6 branches in the xz Git repository.
5.8.3 (2026-03-31)
* liblzma:
- Fix a buffer overflow in lzma_index_append(): If
lzma_index_decoder() was used to decode an Index that
contained no Records, the resulting lzma_index was left in
a state where where a subsequent lzma_index_append() would
allocate too little memory, and a buffer overflow would occur.
The lzma_index functions are rarely used by applications
directly. In the few applications that do use these functions,
the combination of function calls required to trigger this bug
are unlikely to exist, because there typically is no reason to
append Records to a decoded lzma_index. Thus, it's likely that
this bug cannot be triggered in any real-world application.
The bug was reported and discovered by Cantina using their
AppSec agent, Apex.
- Fix the build on Windows ARM64EC.
- Add "License: 0BSD" to liblzma.pc.
* xz:
- Fix invalid memory access in --files and --files0. All of
the following must be true to trigger it:
1. A string being read (which supposedly is a filename) is
at least SIZE_MAX / 2 bytes long. This size is plausible
on 32-bit platforms (2 GiB - 1 B).
2. realloc(ptr, SIZE_MAX / 2 + 1) must succeed.
On glibc >= 2.30 it shouldn't because the value
exceeds PTRDIFF_MAX.
3. An integer overflow results in a realloc(ptr, 0) call.
If it doesn't return NULL, then invalid memory access
will occur.
- On QNX, don't use fsync() on directories because it fails.
* Autotools: Enable 32-bit x86 assembler on Hurd by default.
It was already enabled in the CMake-based build.
* Translations: Add Arabic man page translations.
