CVE-2021-3520 was issued. The bug is: "memory corruption due to an integer overflow bug caused by memmove argument" Upstream fixed it in a commit[1] but not yet bumped the version. [1]: https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 For the details, please refer to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987856 (Sorry, I lack adequate training to report a security bug.) Thanks beforehand. Regards.
Thanks for the report! Maintainers, please apply the patch if suitable.
https://bugzilla.redhat.com/show_bug.cgi?id=1954559: "The lz4 binary itself catches the problem when it parses the header, but it seems not all library consumers do and therefore LZ4_decompress_generic() was patched."
ping
The patch is trivial enough, so I'll just push it straight to stable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f063d9e1dcac596d0a15fab50c8d89c4d8a9d0e3 commit f063d9e1dcac596d0a15fab50c8d89c4d8a9d0e3 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-06-08 11:34:45 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2021-06-08 11:42:14 +0000 app-arch/lz4: Backport memory corruption fix (CVE-2021-3520) Bug: https://bugs.gentoo.org/791952 Signed-off-by: Michał Górny <mgorny@gentoo.org> .../lz4/files/lz4-1.9.3-negative-memmove.patch | 22 ++++++++++++++++++++++ .../lz4/{lz4-1.9.3.ebuild => lz4-1.9.3-r1.ebuild} | 4 ++++ 2 files changed, 26 insertions(+)
Thank you!
Package list is empty or all packages have requested keywords.
1.9.4 has the fix: See: https://github.com/lz4/lz4/blob/v1.9.4/lib/lz4.c#L1950
(In reply to Allen Webb from comment #13) > 1.9.4 has the fix: > > See: > https://github.com/lz4/lz4/blob/v1.9.4/lib/lz4.c#L1950 We backported it in 1.9.3-r1.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=acb9476bc172258fe693650384438c25dcfc468d commit acb9476bc172258fe693650384438c25dcfc468d Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-06-22 08:02:03 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-06-22 08:02:32 +0000 [ GLSA 202406-04 ] LZ4: Memory Corruption Bug: https://bugs.gentoo.org/791952 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202406-04.xml | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+)
*** Bug 946399 has been marked as a duplicate of this bug. ***