Sam James <s...@gentoo.org> writes: > # Impact > > The threaded .xz decoder in liblzma has a bug that can at least result > in a crash (denial of service). The effects include heap use after free > and writing to an address based on the null pointer plus an offset. > > This affects XZ Utils versions from 5.3.3alpha to 5.8.0. Applications > and libraries that use the lzma_stream_decoder_mt function are affected.
Our belief is that it's highly impractical to exploit on 64-bit systems where xz was built with PIE (=> ASLR), but that on 32-bit systems, especially without PIE, it may be doable.
signature.asc
Description: PGP signature
