lib/59505: CVE-2025-31115: Threaded .xz decoder frees memory too early

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/59505: CVE-2025-31115: Threaded .xz decoder frees memory too early
From: kim%netbsd.org@localhost (Kimmo Suominen)
Date: Thu, 3 Jul 2025 05:05:01 +0000 (UTC)

>Number:         59505
>Category:       lib
>Synopsis:       CVE-2025-31115: Threaded .xz decoder frees memory too early
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jul 03 05:05:00 +0000 2025
>Originator:     Kimmo Suominen
>Release:        NetBSD 10.99.14 (202505302330Z)
>Organization:
>Environment:
System: NetBSD revolutions.gw.fi 10.99.14 NetBSD 10.99.14 (GENERIC) #0: Fri May 30 19:42:28 UTC 2025 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:

	In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder
	in liblzma has a bug where invalid input can at least result
	in a crash (CVE-2025-31115). The effects include heap use
	after free and writing to an address based on the null pointer
	plus an offset. Applications and libraries that use the
	lzma_stream_decoder_mt function are affected.

>How-To-Repeat:

	https://tukaani.org/xz/threaded-decoder-early-free.html

>Fix:

	Upgrade to 5.8.1 (or later).

Prev by Date: bin/59504: dhcpd crashes on arm64eb regularly, now an ASAN enabled one has some details
Next by Date: lib/59506: static libarchive is missing zstd symbols
Previous by Thread: bin/59504: dhcpd crashes on arm64eb regularly, now an ASAN enabled one has some details
Next by Thread: lib/59506: static libarchive is missing zstd symbols
Indexes:

Home | Main Index | Thread Index | Old Index