CVE-2025-58058 github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current...