XZ Utils 5.8 Debuts First Major Release Since Backdoor Incident

Figure 1: Visual representation of the BeyondTrust vulnerability chain

On March 25, 2025, at 17:42 UTC, Lasse Collin released XZ Utils version 5.8.0 through the tukaani-project GitHub repository. The release was signed with Collin's OpenPGP key and includes source packages in .tar.gz, .tar.bz2, and .tar.xz formats.

The version 5.8.0 release consolidates changes from the 5.7.x development series. According to the official release notes, the development cycle focused on performance optimization, architecture expansion, and build system improvements.

The release marks a significant milestone for the project following the March 2024 backdoor incident. After CVE-2024-3094 was disclosed on March 29, 2024, the XZ Utils project underwent extensive review and restructuring. The malicious code had been inserted by a contributor who had gained co-maintainer status over approximately two years of seemingly legitimate contributions.

Following the incident, Lasse Collin resumed sole maintenance of the project. The 5.4.x and 5.2.x branches received security updates, while the compromised 5.6.0 and 5.6.1 releases were removed from distribution.

The release notes document several technical improvements with specific performance claims:

Decoder Performance: The liblzma library on 32-bit and 64-bit x86 systems uses SSE2 intrinsics instead of memcpy() in the LZMA/LZMA2 decoder when possible. The project states this can reduce decompression time by 0 to 5 percent in typical cases. Testing against musl libc showed over 15 percent time reduction with highly compressed files.

Encoder Improvements: The LZMA/LZMA2 encoder received speed improvements for 64-bit PowerPC (both endiannesses) and 64-bit RISC-V processors that support fast unaligned access.

CRC Optimization: The x86/x86-64/E2K CLMUL CRC code was rewritten. CRC32 instructions are now used on LoongArch architecture.

New APIs: Low-level APIs for RISC-V, ARM64, and x86 BCJ filters were added to lzma/bcj.h. According to the release notes, these additions are primarily for erofs-utils.

Build System: CMake support is no longer marked as experimental. The project states that CMake-based builds became feature complete in June 2024.

File Safety: The xz command line tool now synchronizes the output file and its directory using fsync() before deleting the input file. A new --no-sync option disables this behavior.

Landlock Support: On Linux, xz and xzdec support Landlock ABI versions 5 and 6 for sandboxing.

Figure 2: How the authentication bypass vulnerability works

The 5.8.0 release offers several advantages for users and system administrators:

Performance Gains: The SSE2 decoder optimizations provide measurable decompression speed improvements on x86 platforms without requiring code changes from applications using liblzma. Systems using musl libc see the largest benefits.

Broader Architecture Support: Encoder improvements for PowerPC and RISC-V expand the platforms where XZ Utils performs optimally. The new BCJ filter APIs support emerging use cases in embedded filesystem tools.

Data Integrity: The fsync() synchronization before input file deletion reduces the risk of data loss during compression operations if a system crash occurs.

Security Sandboxing: Updated Landlock support provides additional isolation for the command line tools on Linux systems with kernel support for the feature.

Build Flexibility: The stabilization of CMake support gives projects more options for integrating XZ Utils into their build systems. CMake is often preferred in cross-platform projects and IDE integrations.

API Stability: The maintained backward compatibility with liblzma 5.0.x through 5.6.x means existing applications can upgrade without code modifications.

Several considerations warrant attention before upgrading:

Deprecation Notices: The release marks the following LZMA Utils script aliases as deprecated: lzcmp, lzdiff, lzless, lzmore, lzgrep, lzegrep, and lzfgrep. Projects relying on these aliases should migrate to the xz-prefixed equivalents.

Behavioral Changes: The --single-stream option now implies --keep, which changes the default behavior for scripts using this flag. The fsync() synchronization adds overhead to compression operations, though --no-sync can disable it.

Trust Recovery: While the project has undergone review since the backdoor incident, some organizations may maintain heightened scrutiny of XZ Utils updates. The single-maintainer model, while providing clear accountability, also represents a potential bottleneck.

Testing Requirements: The performance improvements are architecture-specific. Organizations should benchmark their specific workloads rather than assuming the stated improvements apply universally.

Musl Dependency: The largest performance gains (over 15 percent) were observed with musl libc. Systems using glibc may see smaller improvements.

Figure 3: Privilege escalation from user to SYSTEM level

XZ Utils implements the .xz file format, which uses LZMA2 as its primary compression algorithm. LZMA2 is an evolution of the LZMA algorithm originally developed for the 7-Zip archiver.

Compression Pipeline: The LZMA algorithm uses a dictionary-based compression scheme combined with range encoding. Data is analyzed for repeating patterns, which are replaced with references to earlier occurrences. The dictionary size can range from 4 KB to 1.5 GB, with larger dictionaries enabling better compression at the cost of memory usage.

Decoder Architecture: The decoder reconstructs original data by reading the compressed stream and resolving pattern references against the dictionary. The SSE2 optimizations in version 5.8.0 accelerate the memory copy operations that dominate decoder execution time on x86 platforms.

BCJ Filters: Branch/Call/Jump filters preprocess executable code before compression. By converting relative addresses to absolute addresses, BCJ filters improve compression ratios for binary files. The new APIs in 5.8.0 expose low-level control over these filters for specialized applications like erofs-utils.

Landlock Sandboxing: On Linux kernels 5.13 and later, Landlock provides unprivileged sandboxing. The xz and xzdec tools use Landlock to restrict filesystem access during operation, limiting potential damage if a vulnerability were exploited.

Technical context (optional): The liblzma API follows a streaming model similar to zlib. Applications initialize an encoder or decoder state, feed data through the processing functions, and finalize the stream. The API supports both single-call and incremental processing modes.

The 5.8.0 release carries significance beyond its technical content due to the project's central role in open source infrastructure and the shadow of the 2024 backdoor incident.

Supply Chain Security: The XZ Utils backdoor became a case study in supply chain attacks against open source projects. The incident prompted discussions about maintainer burnout, contributor vetting, and the sustainability of critical infrastructure projects maintained by small teams or individuals.

Distribution Response: Linux distributions including Debian, Fedora, Ubuntu, and Arch Linux had to issue emergency updates when CVE-2024-3094 was discovered. The 5.8.0 release will flow through these same distribution channels, with maintainers evaluating the update against their security policies.

Compression Standards: XZ compression is embedded in numerous file formats and protocols. The Linux kernel uses xz for module compression. Package managers including dpkg and rpm support xz-compressed packages. The format's efficiency makes it attractive for bandwidth-constrained distribution.

Maintenance Models: The return to single-maintainer status after the backdoor incident reflects a broader tension in open source. Distributed maintenance can improve bus factor but introduces trust challenges. Concentrated maintenance provides accountability but creates sustainability risks.

Confirmed:

• Version 5.8.0 was released on March 25, 2025, at 17:42 UTC
• The release is signed with Lasse Collin's OpenPGP key
• API and ABI remain backward compatible with liblzma 5.0.x through 5.6.x
• SSE2 decoder optimizations target x86 platforms
• CMake support is no longer experimental
• LZMA Utils script aliases are deprecated

Remains Unclear:

• Distribution adoption timelines vary by project
• Real-world performance improvements depend on specific workloads and system configurations
• The project's long-term maintenance structure following the backdoor incident
• Whether additional contributors will join the project under new vetting procedures

Distribution Updates: Monitor package repositories for Debian, Fedora, Ubuntu, Arch Linux, and other distributions to track 5.8.0 adoption. Security-focused distributions may conduct additional review before inclusion.

Erofs-utils Integration: The new BCJ filter APIs were added specifically for erofs-utils. Watch for corresponding updates in that project to understand the intended use cases.

Security Advisories: The tukaani.org security page documents known vulnerabilities. Any issues discovered in 5.8.0 would appear there and in the CVE database.

Build System Migration: Projects currently using Autotools for XZ Utils may evaluate CMake migration now that it has reached stable status.

Landlock Adoption: As Linux distributions ship newer kernels with Landlock support, the sandboxing features in xz and xzdec become more relevant for security-conscious deployments.

1. XZ Utils GitHub Release v5.8.0 - https://github.com/tukaani-project/xz/releases/tag/v5.8.0 (March 25, 2025)
2. 9to5Linux - "XZ Utils 5.8 Introduces Performance Improvements in the LZMA/LZMA2 Decoder" - https://9to5linux.com/xz-utils-5-8-introduces-performance-improvements-in-the-lzma-lzma2-decoder (March 25, 2025)
3. Tukaani Project Official Site - https://tukaani.org/xz/ (accessed March 25, 2025)