Re: XZ Utils: Threaded decoder frees memory too early (CVE-2025-31115)

[Sam James <sam () gentoo org>]

Sam James <sam () gentoo org> writes:

> Sam James <sam () gentoo org> writes:
>
> > # Impact
> >
> > The threaded .xz decoder in liblzma has a bug that can at least result
> > in a crash (denial of service).  The effects include heap use after free
> > and writing to an address based on the null pointer plus an offset.
> >
> > This affects XZ Utils versions from 5.3.3alpha to 5.8.0. Applications
> > and libraries that use the lzma_stream_decoder_mt function are affected.
>
> Our belief is that it's highly impractical to exploit on 64-bit systems
> where xz was built with PIE (=> ASLR), but that on 32-bit systems,
> especially without PIE, it may be doable.

I should correct myself here: it's easy to exploit the *crash* (though
for liblzma users, it depends on how they ingest files), but not easy to
take over the process.