A vulnerability has been discovered in XZ Utils, which could lead to denial of service.
Package | app-arch/xz-utils on all architectures |
---|---|
Affected versions | < 5.6.4-r1 |
Unaffected versions | >= 5.6.4-r1 |
XZ Utils is free general-purpose data compression software with a high compression ratio.
A use-after-free has been discovered in XZ utils. Please review the CVE identifier referenced below for details.
The multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. It's unlikely one can achieve more than a crash if xz is built with PIE on a 64-bit system especially, as is done in Gentoo by default.
There is no known workaround at this time.
All XZ utils users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/xz-utils-5.6.4-r1"
Release date
April 05, 2025
Latest revision
April 05, 2025: 1
Severity
normal
Exploitable
remote
Bugzilla entries