![]() |
|
Message-ID: <871pu9gu5r.fsf@gentoo.org> Date: Thu, 03 Apr 2025 16:08:00 +0100 From: Sam James <sam@...too.org> To: oss-security@...ts.openwall.com CC: Lasse Collin <lasse.collin@...aani.org>, Sebastian Andrzej Siewior <sebastian@...akpoint.cc> Subject: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115) Hi! An issue has been found in xz. I emphasise that it's not an issue related to the nasty events of last year, and it wasn't introduced by Jia. Nonetheless, it's a bug with some security impact. This was privately communicated to the private distros ML on 2025-03-31. We have attached patches which will be part of 5.8.1 and should apply cleanly to the affected versions. The CVE for this issue, allocated by GitHub is CVE-2025-31115. I'm sending this on behalf of Lasse Collin (cc'd). .. Advisory link: https://tukaani.org/xz/threaded-decoder-early-free.html GitHub advisory link: https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2 # Impact The threaded .xz decoder in liblzma has a bug that can at least result in a crash (denial of service). The effects include heap use after free and writing to an address based on the null pointer plus an offset. This affects XZ Utils versions from 5.3.3alpha to 5.8.0. Applications and libraries that use the lzma_stream_decoder_mt function are affected. # Patches The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases (attached to this email). For convenience, links are below for... 5.4: * https://github.com/tukaani-project/xz/commit/77bc2d6f3b6e1506c122b03cff49c902219869e3 * https://github.com/tukaani-project/xz/commit/bdb788137e1f1d967e0c9d885b859e5b95c1b5bf * https://github.com/tukaani-project/xz/commit/2ce9ab6588a94cbf04a9c174e562ea5feb00cfb3 * https://github.com/tukaani-project/xz/commit/9a9c17712bd2a070581d9239692e527a2fe13845 * https://github.com/tukaani-project/xz/commit/c8bb46c5a16ed02401f4a0b46c74f0f46c1b6434 5.6: * https://github.com/tukaani-project/xz/commit/fb1210f215d61bd3ea373d61e4d86d29648e1bab * https://github.com/tukaani-project/xz/commit/c1a91b8baeb947c5b232a6c3d6319267131830bc * https://github.com/tukaani-project/xz/commit/f74cf18ad084a9185d8ae148d89265860aa8004c * https://github.com/tukaani-project/xz/commit/1b874b4f04909b7bb5259cb612ecef39a434dde8 * https://github.com/tukaani-project/xz/commit/6ff5b8c55960f9ebc917b668bd3567ef217175fa 5.8: * https://github.com/tukaani-project/xz/commit/b9d168eee4fb6393b4fe207c0aeb5faee316ca1a * https://github.com/tukaani-project/xz/commit/831b55b971cf579ee16a854f177c36b20d3c6999 * https://github.com/tukaani-project/xz/commit/c0c835964dfaeb2513a3c0bdb642105152fe9f34 * https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480 * https://github.com/tukaani-project/xz/commit/8188048854e8d11071b8a50d093c74f4c030acc9 and xz-5.8.1 has just been released. # Workarounds The single-threaded .xz decoder (lzma_stream_decoder) isn't affected. The commands xz --decompress --threads=1 and xzdec use the single-threaded decoder. # Credits Thanks to Harri K. Koskinen for discovering and reporting this issue. Thanks to Sebastian Andrzej Siewior for reviewing the patches. Thanks to Sam James for general help. # Why fuzzing didn't find this? XZ Utils is fuzzed by OSS-Fuzz. However, there was no program to fuzz the multithreaded .xz decoder. Even if there had been, it likely would have used the fuzz_code function in fuzz_common.h like the existing fuzz targets did. That function called lzma_code in such a way that it would have been impossible to trigger this bug. Lasse Collin has been working on improving the fuzzer and with some changes, we've been able to make it detect the bug. See https://github.com/tukaani-project/xz/commit/48440e24a25911ae59e8518b67a1e0f6f1c293bf and https://github.com/tukaani-project/xz/commit/513cabcf7f5ce1c3ed0619e791393fc53d1dbbd0 for that. View attachment "xz-cve-2025-31115.patch" of type "text/x-patch" (11949 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (378 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.