946399 – app-arch/p7zip: Add upstream patch for lz4 integer overflow (CVE-2021-3520)

Bug 946399 - app-arch/p7zip: Add upstream patch for lz4 integer overflow (CVE-2021-3520)

Summary: app-arch/p7zip: Add upstream patch for lz4 integer overflow (CVE-2021-3520)

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [ebuild]
Keywords:

Depends on:
Blocks:

Reported:	2024-12-14 06:25 UTC by gen2dev
Modified:	2024-12-15 09:12 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2021-3520 https://github.com/p7zip-project/p7zip/pull/239
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description gen2dev 2024-12-14 06:25:44 UTC

app-arch/p7zip-17.* has a bundled version of lz4 which is affected by CVE-2021-3520 (Memory corruption due to integer overflow). Upstream recently fixed it in their "p7zip17" branch. It only changes one line of code. The patch should be added to the p7zip-17.05 ebuild.

https://github.com/p7zip-project/p7zip/pull/239
https://github.com/p7zip-project/p7zip/commit/d9c3d157c62e842897d4447db717f813810e1423

Reproducible: Always

Comment 1 Sam James archtester

2024-12-14 11:44:35 UTC


*** This bug has been marked as a duplicate of bug 791952 ***

Comment 2 Sam James archtester

2024-12-14 11:45:07 UTC

Ah, no.