CVE-2021-3520 was issued. The bug is: "memory corruption due to an integer overflow bug caused by memmove argument" Upstream fixed it in a commit[1] but not yet bumped the version. [1]: https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 For the details, please refer to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987856 (Sorry, I lack adequate training to report a security bug.) Thanks beforehand. Regards.
Thanks for the report! Maintainers, please apply the patch if suitable.
https://bugzilla.redhat.com/show_bug.cgi?id=1954559: "The lz4 binary itself catches the problem when it parses the header, but it seems not all library consumers do and therefore LZ4_decompress_generic() was patched."
ping
The patch is trivial enough, so I'll just push it straight to stable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f063d9e1dcac596d0a15fab50c8d89c4d8a9d0e3 commit f063d9e1dcac596d0a15fab50c8d89c4d8a9d0e3 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-06-08 11:34:45 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-06-08 11:42:14 +0000 app-arch/lz4: Backport memory corruption fix (CVE-2021-3520) Bug: https://bugs.gentoo.org/791952 Signed-off-by: Michał Górny <mgorny@gentoo.org> .../lz4/files/lz4-1.9.3-negative-memmove.patch | 22 ++++++++++++++++++++++ .../lz4/{lz4-1.9.3.ebuild => lz4-1.9.3-r1.ebuild} | 4 ++++ 2 files changed, 26 insertions(+)
Thank you!
Package list is empty or all packages have requested keywords.
1.9.4 has the fix: See: https://github.com/lz4/lz4/blob/v1.9.4/lib/lz4.c#L1950
(In reply to Allen Webb from comment #13) > 1.9.4 has the fix: > > See: > https://github.com/lz4/lz4/blob/v1.9.4/lib/lz4.c#L1950 We backported it in 1.9.3-r1.