XZ Utils

XZ Utils (previously LZMA Utils) is a set of free software command-line lossless data compressors, including the programs lzma and xz, for Unix-like operating systems and, from version 5.0 onwards, Microsoft Windows. For compression/decompression the Lempel–Ziv–Markov chain algorithm (LZMA) is used. XZ Utils started as a Unix port of Igor Pavlov's LZMA-SDK that has been adapted to fit seamlessly into Unix environments and their usual structure and behavior.

Features
XZ Utils can compress and decompress the xz and lzma file formats. Since the LZMA format has been considered legacy, XZ Utils by default compresses to xz.

In most cases, xz achieves higher compression rates than alternatives like gzip and bzip2. Decompression speed is higher than bzip2, but lower than gzip. Compression can be much slower than gzip, and is slower than bzip2 for high levels of compression, and is most useful when a compressed file will be used many times.

XZ Utils consists of two major components:


 * xz, the command-line compressor and decompressor (analogous to gzip)
 * liblzma, a software library with an API similar to zlib

Various command shortcuts exist, such as lzma (for ), unxz (for xz --decompress; analogous to gunzip) and xzcat (for unxz --stdout; analogous to zcat).

Usage
Both the behavior of the software and the properties of the file format have been designed to work similarly to those of the popular Unix compressing tools gzip and bzip2.

Just like gzip and bzip, xz and lzma can only compress single files (or data streams) as input. They cannot bundle multiple files into a single archive – to do this an archiving program is used first, such as tar.

Compressing an archive: Decompressing the archive: Version 1.22 or greater of the GNU implementation of tar has transparent support for tarballs compressed with lzma and xz, using the switches --xz or -J for xz compression, and --lzma for LZMA compression.

Creating an archive and compressing it: Decompressing the archive and extracting its contents: Single-letter tar example for archive with compress and decompress with extract using short suffix: xz has supported multi-threaded compression (with the -T flag) since 2014, version 5.2.0; since version 5.4.0 threaded decompression has been implemented. Threaded decompression requires multiple compressed blocks within a stream which are created by the threaded compression interface. The number of threads can be less than defined if the file is not big enough for threading with the given settings or if using more threads would exceed the memory usage limit.

The xz format
The xz format improves on lzma by allowing for preprocessing filters. The exact filters used are similar to those used in 7z, as 7z's filters are available in the public domain via the LZMA SDK.

Development and adoption
Development of XZ Utils took place within the Tukaani Project, a small group of developers who once maintained a Linux distribution based on Slackware. The .xz file format specification version 1.0.0 was officially released in January 2009.

All of the source code for xz and liblzma has been released into the public domain. The XZ Utils source distribution additionally includes some optional scripts and an example program that are subject to various versions of the GNU General Public License (GPL). The resulting software xz and liblzma binaries are public domain, unless the optional LGPL getopt implementation is incorporated.

Binaries are available for FreeBSD, NetBSD, Linux systems, Microsoft Windows, and FreeDOS. A number of Linux distributions, including Fedora, Slackware, Ubuntu, and Debian use xz for compressing their software packages. Arch Linux previously used xz to compress packages, but as of December 27, 2019, packages are compressed with Zstandard compression. Fedora Linux also switched to compressing its RPM packages with Zstandard with Fedora Linux 31. The GNU FTP archive also uses xz.

Backdoor incident
On 29 March 2024, Andres Freund, a PostgreSQL developer working at Microsoft, announced that he had found a backdoor in XZ Utils, impacting versions 5.6.0 and 5.6.1. Compressed test files had been added to the code for setting up the backdoor via additions to the configure script in the tar files. He started his investigation because "After observing a few odd symptoms around liblzma (part of the xz package)" as he found that ssh logins using  were "taking a lot of CPU, valgrind errors". The vulnerability received a Common Vulnerability Scoring System (CVSS) score of 10 (the highest).