Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87sempff3v.fsf@gentoo.org>
Date: Thu, 03 Apr 2025 16:18:28 +0100
From: Sam James <sam@...too.org>
To: oss-security@...ts.openwall.com
Cc: Lasse Collin <lasse.collin@...aani.org>,  Sebastian Andrzej Siewior
 <sebastian@...akpoint.cc>
Subject: Re: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115)

Sam James <sam@...too.org> writes:

> # Impact
>
> The threaded .xz decoder in liblzma has a bug that can at least result
> in a crash (denial of service).  The effects include heap use after free
> and writing to an address based on the null pointer plus an offset.
>
> This affects XZ Utils versions from 5.3.3alpha to 5.8.0. Applications
> and libraries that use the lzma_stream_decoder_mt function are affected.

Our belief is that it's highly impractical to exploit on 64-bit systems
where xz was built with PIE (=> ASLR), but that on 32-bit systems,
especially without PIE, it may be doable.

Download attachment "signature.asc" of type "application/pgp-signature" (378 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.