Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <8734epfa6u.fsf@gentoo.org>
Date: Thu, 03 Apr 2025 18:04:41 +0100
From: Sam James <sam@...too.org>
To: oss-security@...ts.openwall.com
Cc: Lasse Collin <lasse.collin@...aani.org>,  Sebastian Andrzej Siewior
 <sebastian@...akpoint.cc>
Subject: Re: XZ Utils: Threaded decoder frees memory too
 early (CVE-2025-31115)

Sam James <sam@...too.org> writes:

> Sam James <sam@...too.org> writes:
>
>> # Impact
>>
>> The threaded .xz decoder in liblzma has a bug that can at least result
>> in a crash (denial of service).  The effects include heap use after free
>> and writing to an address based on the null pointer plus an offset.
>>
>> This affects XZ Utils versions from 5.3.3alpha to 5.8.0. Applications
>> and libraries that use the lzma_stream_decoder_mt function are affected.
>
> Our belief is that it's highly impractical to exploit on 64-bit systems
> where xz was built with PIE (=> ASLR), but that on 32-bit systems,
> especially without PIE, it may be doable.

I should correct myself here: it's easy to exploit the *crash* (though
for liblzma users, it depends on how they ingest files), but not easy to
take over the process.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.