Ulikunitz XZ Memory Consumption Vulnerability Due to Improper LZMA Header Handling

A vulnerability in the Ulikunitz XZ package, prior to version 0.5.14, allows for the introduction of data before an LZMA-encoded byte stream without proper detection while reading the header. This oversight can lead to excessive memory usage, as the implementation allocates the full decoding buffer immediately after the header is read. The LZMA header lacks a magic number or checksum to identify such issues, following the official specification. Although the problem is recognized later in the stream, the memory allocation has already occurred, potentially causing significant memory leaks, especially when processing multiple LZMA archives with corrupted headers. This vulnerability affects software that utilizes 'lzma.NewReader' or 'lzma.ReaderConfig.NewReader'.

Impact

Exploitation of this vulnerability causes increased memory consumption, leading to memory leaks and potential exhaustion of available RAM.

Reproduction

The vulnerability can be reproduced by adding a zero byte to the beginning of an LZMA file and then using the 'lzma.NewReader' or 'lzma.ReaderConfig.NewReader' functions to read the file. This can be done by creating a Go program that opens the LZMA file, adds the zero byte, and then reads the file with the vulnerable reader functions. The increased memory consumption can be observed by unpacking a large number of these corrupted LZMA archives, even in a single goroutine, which causes a spike in memory usage and triggers a 'writeMatch: distance out of range' error.

Remediation

Users can update to Ulikunitz XZ version 0.5.14 or later, which includes mitigations such as limiting the dictionary size to prevent excessive memory allocations. Instructions for updating can be found in the Ulikunitz XZ repository on GitHub.