CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" in -alpine images

[candrews]

The -alpine images have CVE-2025-31115 "xz: XZ has a heap-use-after-free bug in threaded .xz decoder" reported against them.

Alpine released xz-5.6.3-r1 that fixes this vulnerability.

$ docker run -it aquasec/trivy image python:3.13-alpine
2025-04-08T17:42:50Z	INFO	[vulndb] Need to update DB
2025-04-08T17:42:50Z	INFO	[vulndb] Downloading vulnerability DB...
2025-04-08T17:42:50Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
62.04 MiB / 62.04 MiB [-----------------------------------------------------------] 100.00% 10.33 MiB p/s 6.2s
2025-04-08T17:42:56Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2025-04-08T17:42:56Z	INFO	[vuln] Vulnerability scanning is enabled
2025-04-08T17:42:56Z	INFO	[secret] Secret scanning is enabled
2025-04-08T17:42:56Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-08T17:42:56Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2025-04-08T17:42:58Z	INFO	[python] License acquired from METADATA classifiers may be subject to additional terms	name="pip" version="24.3.1"
2025-04-08T17:42:58Z	INFO	Detected OS	family="alpine" version="3.21.3"
2025-04-08T17:42:58Z	WARN	This OS version is not on the EOL list	family="alpine" version="3.21"
2025-04-08T17:42:58Z	INFO	[alpine] Detecting vulnerabilities...	os_version="3.21" repository="3.21" pkg_num=28
2025-04-08T17:42:58Z	INFO	Number of language-specific files	num=1
2025-04-08T17:42:58Z	INFO	[python-pkg] Detecting vulnerabilities...
2025-04-08T17:42:58Z	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.56/docs/scanner/vulnerability#severity-selection for details.

python:3.13-alpine (alpine 3.21.3)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ xz-libs │ CVE-2025-31115 │ HIGH     │ fixed  │ 5.6.3-r0          │ 5.6.3-r1      │ xz: XZ has a heap-use-after-free bug in threaded .xz decoder │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-31115                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

[yosifkit]

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

Luckily, there are Python version bumps today (#1018), so once we merge those changes up to https://github.com/docker-library/official-images they'll get built and pushed to Docker Hub.