Command Line Argument Injection in XZ Utils by Tukaani
CVE-2024-47611
What is CVE-2024-47611?
XZ Utils, a versatile data-compression library and its corresponding command-line tools, exhibit a command line argument injection vulnerability when compiled for native Windows environments such as MinGW-w64 or MSVC. This issue arises due to the handling of Unicode characters in command line inputs. When a command line includes Unicode characters not present in the system's current legacy code page, these characters are inaccurately converted using best-fit mapping. In certain scenarios, this conversion can lead to ASCII characters that mistakenly modify the intended meaning of the command line. Malicious actors can exploit this flaw using specially crafted filenames, leading to potential argument injection or directory traversal attacks. The vulnerability is addressed in version 5.6.3, while versions built for Cygwin or MSYS2, along with liblzma, remain unaffected.