XZ Utils: Use after free — GLSA 202504-01

A vulnerability has been discovered in XZ Utils, which could lead to denial of service.

Affected packages

app-arch/xz-utils on all architectures
Affected versions < 5.6.4-r1
Unaffected versions >= 5.6.4-r1

Background

XZ Utils is free general-purpose data compression software with a high compression ratio.

Description

A use-after-free has been discovered in XZ utils. Please review the CVE identifier referenced below for details.

Impact

The multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. It's unlikely one can achieve more than a crash if xz is built with PIE on a 64-bit system especially, as is done in Gentoo by default.

Workaround

There is no known workaround at this time.

Resolution

All XZ utils users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=app-arch/xz-utils-5.6.4-r1"
 

References

Release date
April 05, 2025

Latest revision
April 05, 2025: 1

Severity
normal

Exploitable
remote

Bugzilla entries