decoration contrast
Challenge Information
Project: xz
Type: full
Harnesses: 4
Vulnerabilities: 1
AFC Challenge Performance
Number of Unique Vulnerabilities Discovered: #
Number of Teams with Scoring PoVs: 3
Number of Teams with Scoring Patches: 3
Number of Teams with Scoring Bundles: 3
Total Points Scored for this Challenge: 40.44873320270131
What design decisions were considered for this challenge?
Data compression is used to transmit data between software systems. If compression is vulnerable can it be trusted?
Why this set of vulnerabilities?
XZ is a data compression format and the name of the utility used to compress
and decompress files in that format. It’s known for its high compression ratio
and is commonly used in Linux for compressing various file types, including
release tarballs and software packages.
Delta vs Full and why?
This challenge is a full scan.
Challenge Harnesses
- fuzz_decode_stream
- fuzz_encode_stream
- fuzz_decode_stream_mt
- fuzz_decode_alone
Challenge Sarif Broadcast
Target .aixcc/vulns/xz-001/vuln.yaml
Sarif is correct
PLACEHOLDER FOR SARIFChallenge Vulnerabilities
Tree-based Checksum
Vulnerability Information
Author: bitsentience
Harness: fuzz_encode_stream
CWE Classification: CWE-416
What functions and functionality is relevant?
create_tree and compute_tree_checksum functions in src/liblzma/check/treeck.c.
Why is this vulnerable?
An atypical topology of the checksum tree triggered on boundary condition causes a use-after-free error.
Is this a replay and/or is inspired by anything?
This is not a replay.
What makes it interesting?
The xz library is extensible with custom checksum algorithms. This patch
introduces a custom checksum for a fictitious filetype. On a fringe condition in
the width/height field of the new filetype, a backlink in the checksum tree
introduces a use-after-free vulnerability.