chore(core): Address CVE-2024-3094 and CVE-2025-31115 for xz/lzma dependency (fixes #1093). (#1094)

Co-authored-by: Lin Zhihao <[email protected]>

Author: jackluo923

components/core/CMakeLists.txt

@@ -312,6 +312,16 @@ if(CLP_NEED_LZMA)
         message(STATUS "Found Lzma ${LIBLZMA_VERSION_STRING}")
         message(STATUS "Lzma library location: ${LIBLZMA_LIBRARIES}")
         message(STATUS "Lzma Include Dir: ${LIBLZMA_INCLUDE_DIRS}")
+
+        # Version 5.8.1 and above address CVE-2024-3094 and CVE-2025-31115.
+        set(REQUIRED_LIBLZMA_VERSION "5.8.1")
+        if(LIBLZMA_VERSION_STRING VERSION_LESS ${REQUIRED_LIBLZMA_VERSION})
+            message(
+                FATAL_ERROR
+                "Detected LibLZMA version ${LIBLZMA_VERSION_STRING} is older than required"
+                " ${REQUIRED_LIBLZMA_VERSION}"
+            )
+        endif()
     else()
         message(FATAL_ERROR "Could not find ${CLP_LIBS_STRING} libraries for Lzma")
     endif()

components/core/tools/scripts/lib_install/centos-stream-9/install-packages-from-source.sh

@@ -12,4 +12,5 @@ lib_install_scripts_dir="${script_dir}/.."
 # NOTE: The remaining installation scripts depend on boost, so we install it beforehand.
 "${lib_install_scripts_dir}/install-boost.sh" 1.87.0
 
+"${lib_install_scripts_dir}/liblzma.sh" 5.8.1
 "${lib_install_scripts_dir}/msgpack.sh" 7.0.0

components/core/tools/scripts/lib_install/centos-stream-9/install-prebuilt-packages.sh

@@ -20,9 +20,7 @@ dnf install -y \
     mariadb-connector-c-devel \
     openssl-devel \
     python3-pip \
-    unzip \
-    xz \
-    xz-devel
+    unzip
 
 # Determine architecture for `task` release to install
 rpm_arch=$(rpm --eval "%{_arch}")

components/core/tools/scripts/lib_install/liblzma.sh

@@ -26,6 +26,45 @@ if [ "$#" -lt 1 ] ; then
 fi
 version=$1
 
+# Ensure version must be greater or equal to 5.8.1 to mitigate both CVE-2024-3094 (resolved in
+# version >5.6.1) and CVE-2025-31115 (resolved in version >5.8.0).
+validate_minimum_required_version() {
+    min_required_major=5
+    min_required_minor=8
+    min_required_patch=1
+
+    local major minor patch
+
+    IFS='.' read -r major minor patch <<< "$version"
+
+    # Check the major version
+    if (( major > min_required_major )); then
+        return 0
+    elif (( major < min_required_major )); then
+        return 1
+    fi
+
+    # Check the minor version
+    if (( minor > min_required_minor )); then
+        return 0
+    elif (( minor < min_required_minor )); then
+        return 1
+    fi
+
+    # Check the patch version
+    if (( patch >= min_required_patch )); then
+        return 0
+    fi
+
+    return 1
+}
+
+if ! validate_minimum_required_version "$version"; then
+    echo "Error: Version $version must be greater or equal to 5.8.1 to mitigate CVE-2024-3094 and" \
+         " CVE-2025-31115."
+    exit 1
+fi
+
 package_name=liblzma
 temp_dir=/tmp/${package_name}-installation
 deb_output_dir=${temp_dir}

components/core/tools/scripts/lib_install/ubuntu-jammy/install-packages-from-source.sh

@@ -13,7 +13,7 @@ lib_install_scripts_dir=$script_dir/..
 "$lib_install_scripts_dir"/install-boost.sh 1.87.0
 
 "$lib_install_scripts_dir"/libarchive.sh 3.5.1
-"$lib_install_scripts_dir"/liblzma.sh 5.4.6
+"$lib_install_scripts_dir"/liblzma.sh 5.8.1
 "$lib_install_scripts_dir"/lz4.sh 1.8.2
 "$lib_install_scripts_dir"/msgpack.sh 7.0.0
 "$lib_install_scripts_dir"/zstandard.sh 1.4.9