XZ Utils Buffer Overflow Vulnerability in lzma_index_append()

A buffer overflow vulnerability has been identified in XZ Utils versions prior to 5.8.3. The issue arises in the lzma_index_append() function when it is used to append Records to an lzma_index that has been decoded from an Index containing no Records. In this scenario, the lzma_index is left with an incorrect internal state, leading to insufficient memory allocation and the potential for a buffer overflow. This vulnerability exists in all stable releases of XZ Utils since version 5.0.0.

Impact

Exploitation of this vulnerability leads to a buffer overflow, which can commonly result in arbitrary code execution or causing a program to crash.

Reproduction

The vulnerability can be reproduced by using the lzma_index_decoder() function to decode an Index that contains no Records. Following this, the lzma_index_append() function can be called, which will then allocate too little memory, causing a buffer overflow.

Remediation

Users can upgrade to XZ Utils version 5.8.3, which addresses this vulnerability. This version is available on the XZ Utils website. For users of XZ Utils versions 5.2, 5.4, and 5.6, the fix is also available in the Git repository branches v5.6, v5.4, and v5.2.