Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 791952 (CVE-2021-3520) - <app-arch/lz4-1.9.3-r1: Memory corruption due to an integer overflow (CVE-2021-3520)
Summary: <app-arch/lz4-1.9.3-r1: Memory corruption due to an integer overflow (CVE-202...
Status: IN_PROGRESS
Alias: CVE-2021-3520
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-25 11:35 UTC by Teika kazura
Modified: 2021-07-29 18:10 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Teika kazura 2021-05-25 11:35:45 UTC
CVE-2021-3520 was issued. The bug is:
"memory corruption due to an integer overflow bug caused by memmove argument"

Upstream fixed it in a commit[1] but not yet bumped the version.
[1]: https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7

For the details, please refer to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987856 (Sorry, I lack adequate training to report a security bug.)

Thanks beforehand. Regards.
Comment 1 Sam James archtester gentoo-dev Security 2021-05-25 11:43:24 UTC
Thanks for the report!

Maintainers, please apply the patch if suitable.
Comment 2 Sam James archtester gentoo-dev Security 2021-06-02 18:56:37 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1954559:
"The lz4 binary itself catches the problem when it parses the header, but it seems not all library consumers do and therefore LZ4_decompress_generic() was patched."
Comment 3 Sam James archtester gentoo-dev Security 2021-06-08 06:20:41 UTC
ping
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-06-08 11:35:08 UTC
The patch is trivial enough, so I'll just push it straight to stable.
Comment 5 Larry the Git Cow gentoo-dev 2021-06-08 11:42:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f063d9e1dcac596d0a15fab50c8d89c4d8a9d0e3

commit f063d9e1dcac596d0a15fab50c8d89c4d8a9d0e3
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-06-08 11:34:45 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2021-06-08 11:42:14 +0000

    app-arch/lz4: Backport memory corruption fix (CVE-2021-3520)
    
    Bug: https://bugs.gentoo.org/791952
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 .../lz4/files/lz4-1.9.3-negative-memmove.patch     | 22 ++++++++++++++++++++++
 .../lz4/{lz4-1.9.3.ebuild => lz4-1.9.3-r1.ebuild}  |  4 ++++
 2 files changed, 26 insertions(+)
Comment 6 John Helmert III gentoo-dev Security 2021-06-09 04:10:52 UTC
Thank you!
Comment 7 NATTkA bot gentoo-dev 2021-07-29 17:22:18 UTC Comment hidden (obsolete)
Comment 8 NATTkA bot gentoo-dev 2021-07-29 17:30:32 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2021-07-29 17:38:29 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-29 17:46:36 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-07-29 18:02:35 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-07-29 18:10:51 UTC
Package list is empty or all packages have requested keywords.