(https://nvd.nist.gov/vuln/detail/CVE-2019-10654): The lzo1x_decompress function in liblzo2.so.2 in LZO 2.10, as used in Long Range Zip (aka lrzip) 0.631, allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted archive, a different vulnerability than CVE-2017-8845. Gentoo Security Padawan (domhnall)
looks to be an imcomplete fix: https://github.com/ckolivas/lrzip/issues/108
Maintainer suggests using a PR: https://github.com/ckolivas/lrzip/issues/108#issuecomment-584319910 This PR is closed and its functionality is said to be implemented in another PR, without linking it. I can't find such a PR and I can't see the commit in master. I have no idea if this bug was fixed elsewhere as I couldn't reproduce it but there appears to be more security fixes in the commit log so it would be prudent to add another snapshot.
(In reply to John Helmert III from comment #2) > Maintainer suggests using a PR: > > https://github.com/ckolivas/lrzip/issues/108#issuecomment-584319910 Oops, that might not be the maintainer. They seem to maintain a fork that they recommend: https://github.com/ckolivas/lrzip/pull/140#issuecomment-869879318 https://github.com/pete4abw/lrzip-next
