diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-SA-25:06.xz.asc')
| -rw-r--r-- | website/static/security/advisories/FreeBSD-SA-25:06.xz.asc | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-SA-25:06.xz.asc b/website/static/security/advisories/FreeBSD-SA-25:06.xz.asc new file mode 100644 index 0000000000..d7a8a32d1d --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-25:06.xz.asc @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-25:06.xz Security Advisory + The FreeBSD Project + +Topic: Use-after-free in multi-threaded xz decoder + +Category: contrib +Module: xz +Announced: 2025-07-02 +Affects: FreeBSD 13.5 and FreeBSD 14.2 +Corrected: 2025-05-07 21:26:00 UTC (stable/14, 14.2-STABLE) + 2025-07-02 18:28:13 UTC (releng/14.2, 14.2-RELEASE-p4) + 2025-05-07 21:25:59 UTC (stable/13, 13.4-STABLE) + 2025-07-02 18:28:32 UTC (releng/13.5, 13.5-RELEASE-p2) +CVE Name: CVE-2025-31115 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +XZ Utils is a set of free software command-line lossless data compressors, +including the programs lzma and xz. + +II. Problem Description + +A worker thread could free its input buffer after decoding, while the +main thread might still be writing to it. This leads to an use-after-free +condition on heap memory. + +III. Impact + +An attacker may use specifically crafted .xz file to cause multi-threaded +xz decoder to crash, or potentially run arbitrary code under the credential +the decoder was executed. + +IV. Workaround + +No workaround is available, but systems where xz decoding was not used in +multi-threaded mode are not affected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. +Unless the decoder is running as a daemon, no reboot is required. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) +utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-25:06/xz.patch +# fetch https://security.FreeBSD.org/patches/SA-25:06/xz.patch.asc +# gpg --verify xz.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use the liblzma library, or reboot the system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/14/ 5cf27a49a2de stable/14-n271423 +releng/14.2/ 49b07b94662b releng/14.2-n269529 +stable/13/ 346bb5d3fe19 stable/13-n259281 +releng/13.5/ 95e9c54b3961 releng/13.5-n259171 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31115> + +<URL:https://tukaani.org/xz/threaded-decoder-early-free.html> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:06.xz.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmhlfTUACgkQbljekB8A +Gu/LnA//WD66vLyMS5V+GcwJO3+Txq502F7U/HRoq0TRNJoEkSL5u+tpJD/hZUn4 +tkBayhSdJKs6d6UURZdhlEsCF4V7bjMzmudOwUnEwFZNXoUZHe0DHPMzFpGvVrD/ +zlN2QZptcP5IU0mPlSFbhQzrUwLnKhjN0NqDZSdaM+7jWDN2zdQFTwijHLFZV66a +FYK8Gr+x4OJHn2CtxBz2ST2S4Aaju38D02IdwX/MQFTtVpLHvt2w/j84Ks2c/MXp +BJxHKcyohEZRd0jO2XKaX1gBANoLNSRcJbeamJ8zYXSygakbqTkgfW8QHi09WSJH +cLqp/NNi4D5v83j11vKlMHAujLgvgTupF7KTG5FXVYF0KZ0URXGEprC9mCWPbIOo +5AD1pbDW1G/OO/cmBn63nILu0U5YLqjcIh2UkJxROs8BBCWouh3k6ZEx2mxQZ9Jy +U2aDrC8TwYf1Sqwr063L+WNo38SUSILNaP17xWpeDToDMYHqnrdMOtj/OFDV1g1U +ra0CYfp2yWpMZ9UibS6GV+mvtiPe/exxqMNFmkpZ/+uTBbH3vPX/rVbJIJkIsOsA +Re9OUfhOYTsPV/bK+NRPAqaLTrmifEECYlskmAgvGoVdMldeL47nGt0EyZLKZ75y +xY4qPHPJEv7TXA8ZOpQ85M491TfwoETZ6CytmwjeXQmOEY8KRtQ= +=TZId +-----END PGP SIGNATURE----- |