LFS Security Advisories for LFS 12.3 and the current development books.
LFS-12.3 was released on 2025-03-05
This page is in alphabetical order of packages, and if a package has multiple advisories the newer come first.
The links at the end of each item point to fuller details which have links to the development books.
Glibc
Updating Glibc from an earlier version on a running LFS system requires extra precautions to avoid breaking the system. The precautions are documented in an "Important" box of the LFS book section for Glibc. Follow it strictly or you may render the system completely unusable.
12.3 085 glibc (LFS) Date: 2025-08-05 Severity: Medium
In glibc-2.42, a security vulnerability was fixed that can allow for a double free when using the regcomp() function. The double free can be accomplished by a malloc failure or by using an interposed malloc that injects random malloc failures, and the double free is known to cause buffer manipulation depending on how the regex passed to regcomp is constructed. All versions from glibc-2.4 to 2.41 are known to be affected. This can cause arbitrary code execution or a denial of service.
Please read the link to fix this vulnerability: 12.3-085
coreutils
12.3 043 coreutils (LFS) Date: 2025-06-02 Severity: Medium
In coreutils-9.6, a security vulnerability was discovered that could allow for a denial of service (application crash) or leakage of sensitive data when using the 'sort' utility. The vulnerability is vulnerable to a heap buffer under-read. Update to coreutils-9.7 with the patch. 12.3-043
Expat
12.3 006 Expat (LFS) Date: 2025-05-20 Severity: High
In Expat-2.7.1, a security vulnerability was fixed that could result in a crash from chaining a large number of entities. The crash is caused by a stack overflow, and it was resolved by fixing the usage of recursion for general entities in character data, general entities in attribute data, and parameter entities. Update to Expat-2.7.1 as soon as possible. 12.3-006
Perl
12.3 042 Perl (LFS) Date: 2025-06-02 Severity: Medium
In Perl-5.40.2, a security vulnerability was discovered that could allow for a race condition where file operations may target unintended paths. The vulnerability is known to cause arbitrary code execuction as well as loading files from unexpected locations. Rebuild Perl-5.40.2 with the patch. 12.3-042
12.3 017 Perl (LFS) Date: 2025-05-20 Severity: High
In Perl-5.40.2, a security vulnerability was fixed that could allow for a denial of service or arbitrary code execution when transliterating non-ASCII bytes. The vulnerability is caused by a heap buffer overflow, and a subsequent out-of-bounds write. Update to Perl-5.40.2. 12.3-017
Python
12.3 088 Python (LFS and BLFS) Date: 2025-08-10 Severity: High
In Python-3.13.6, four security vulnerabilities were fixed in the HTML Parser functionality that can allow for cross-site scripting, denial of service (unbounded resource consumption), and for hidden HTML code to be processed. These vulnerabilities mostly occur because the previous versions of Python did not adhere to the HTML 5 standard correctly. Update to Python-3.13.6, or follow the instructions in the advisory if you are on an older version of Python. 12.3-088
12.3 087 Python (LFS and BLFS) Date: 2025-08-05 Severity: High
A security vulnerability was discovered in Python-3.13.5 that can allow the tarfile module to process tar archives with negative offsets without an error, which would result in an infinite loop and a deadlock when processing maliciously crafted tar archives. Upstream has prepared a patch for the vulnerability which the BLFS editors have turned into a sed. Users who process tar files using the tarfile module in Python should rebuild Python with the sed command to resolve this vulnerability. 12.3-087
12.3 047 Python (LFS and BLFS) Date: 2025-06-04 Severity: Critical
In Python-3.13.4, five security vulnerabilities were fixed that could allow for a denial of service when processing long IPv6 addresses, and for tarfile extraction filters to be bypassed using crafted symlinks and hard links. The extraction filter bypasses allow attackers to write arbitrary files onto a user's filesystem when decompressing a tar file using the 'tarfile' python module. Update to Python-3.13.4. 12.3-047
12.3 018 Python (LFS and BLFS) Date: 2025-05-20 Severity: Medium
In Python-3.13.3, two security vulnerabilities were fixed that could allow for email header spoofing and a denial-of-service (unbounded memory usage). In addition, another vulnerability was resolved after this release of Python that can cause a crash when using the unicode_escape encoding or an error handler when decoding bytes using the bytes.decode() function. Update to Python-3.13.3 and apply the patch for the bytes.decode() vulnerability. 12.3-018
systemd
12.3 044 systemd (LFS and BLFS) Date: 2025-06-02 Severity: Medium
In systemd-257.6, a security vulnerability was fixed that allows an attacker to force SUID processes to crash and allows them to replace the program with a non-SUID binary to access the original privileged process's coredump. This allows the attacker to read extremely sensitive data, such as /etc/shadow content. Update to systemd-257.6. 12.3-044
vim
12.3 072 vim (LFS and BLFS) Date: 2025-07-16 Severity: Medium
In vim-9.1.1552, two security vulnerabilities were fixed that could allow for path traveral when using the tar.vim and zip.vim plugins to view a malicious TAR or ZIP file. It is possible for vim to extract arbitrary files into directories on the system if a relative path is used within the TAR/ZIP file, which can be used to place files necessary to exploit other vulnerabilities on the system. Update to vim-9.1.1552. 12.3-072
xz
12.3 019 xz (LFS) Date: 2025-05-20 Severity: High
In xz-5.8.1, a security vulnerability was fixed that could allow for invalid input when decompressing an XZ file to cause a denial of service or potentially arbitrary code execution. Update to xz-5.8.1. 12.3-019