Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <871pu9gu5r.fsf@gentoo.org>
Date: Thu, 03 Apr 2025 16:08:00 +0100
From: Sam James <sam@...too.org>
To: oss-security@...ts.openwall.com
CC: Lasse Collin <lasse.collin@...aani.org>, Sebastian Andrzej Siewior
 <sebastian@...akpoint.cc>
Subject: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115)

Hi!

An issue has been found in xz. I emphasise that it's not an issue
related to the nasty events of last year, and it wasn't introduced by
Jia. Nonetheless, it's a bug with some security impact.

This was privately communicated to the private distros ML on 2025-03-31.

We have attached patches which will be part of 5.8.1 and should apply
cleanly to the affected versions.

The CVE for this issue, allocated by GitHub is CVE-2025-31115. I'm
sending this on behalf of Lasse Collin (cc'd).

..

Advisory link: https://tukaani.org/xz/threaded-decoder-early-free.html
GitHub advisory link: https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2

# Impact

The threaded .xz decoder in liblzma has a bug that can at least result
in a crash (denial of service).  The effects include heap use after free
and writing to an address based on the null pointer plus an offset.

This affects XZ Utils versions from 5.3.3alpha to 5.8.0. Applications
and libraries that use the lzma_stream_decoder_mt function are affected.

# Patches

The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed
to the v5.4, v5.6, v5.8, and master branches in the xz Git
repository. No new release packages will be made from the old stable
branches, but a standalone patch is available that applies to all
affected releases (attached to this email).

For convenience, links are below for...

5.4:
* https://github.com/tukaani-project/xz/commit/77bc2d6f3b6e1506c122b03cff49c902219869e3
* https://github.com/tukaani-project/xz/commit/bdb788137e1f1d967e0c9d885b859e5b95c1b5bf
* https://github.com/tukaani-project/xz/commit/2ce9ab6588a94cbf04a9c174e562ea5feb00cfb3
* https://github.com/tukaani-project/xz/commit/9a9c17712bd2a070581d9239692e527a2fe13845
* https://github.com/tukaani-project/xz/commit/c8bb46c5a16ed02401f4a0b46c74f0f46c1b6434

5.6:
* https://github.com/tukaani-project/xz/commit/fb1210f215d61bd3ea373d61e4d86d29648e1bab
* https://github.com/tukaani-project/xz/commit/c1a91b8baeb947c5b232a6c3d6319267131830bc
* https://github.com/tukaani-project/xz/commit/f74cf18ad084a9185d8ae148d89265860aa8004c
* https://github.com/tukaani-project/xz/commit/1b874b4f04909b7bb5259cb612ecef39a434dde8
* https://github.com/tukaani-project/xz/commit/6ff5b8c55960f9ebc917b668bd3567ef217175fa

5.8:
* https://github.com/tukaani-project/xz/commit/b9d168eee4fb6393b4fe207c0aeb5faee316ca1a
* https://github.com/tukaani-project/xz/commit/831b55b971cf579ee16a854f177c36b20d3c6999
* https://github.com/tukaani-project/xz/commit/c0c835964dfaeb2513a3c0bdb642105152fe9f34
* https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480
* https://github.com/tukaani-project/xz/commit/8188048854e8d11071b8a50d093c74f4c030acc9

and xz-5.8.1 has just been released.

# Workarounds

The single-threaded .xz decoder (lzma_stream_decoder) isn't
affected. The commands xz --decompress --threads=1 and xzdec use the
single-threaded decoder.

# Credits

Thanks to Harri K. Koskinen for discovering and reporting this issue.

Thanks to Sebastian Andrzej Siewior for reviewing the patches.

Thanks to Sam James for general help.

# Why fuzzing didn't find this?

XZ Utils is fuzzed by OSS-Fuzz. However, there was no program to fuzz
the multithreaded .xz decoder.  Even if there had been, it likely would
have used the fuzz_code function in fuzz_common.h like the existing fuzz
targets did. That function called lzma_code in such a way that it would
have been impossible to trigger this bug.

Lasse Collin has been working on improving the fuzzer and with some
changes, we've been able to make it detect the bug.

See https://github.com/tukaani-project/xz/commit/48440e24a25911ae59e8518b67a1e0f6f1c293bf
and https://github.com/tukaani-project/xz/commit/513cabcf7f5ce1c3ed0619e791393fc53d1dbbd0
for that.


View attachment "xz-cve-2025-31115.patch" of type "text/x-patch" (11949 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (378 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.