Arch Linux alert ASA-202105-27 (lz4)
| From: | Jonas Witschel via arch-security <arch-security@lists.archlinux.org> | |
| To: | arch-security@lists.archlinux.org | |
| Subject: | [ASA-202105-27] lz4: denial of service | |
| Date: | Wed, 26 May 2021 12:34:09 +0200 | |
| Message-ID: | <20210526103409.czd5qwqhtso7dggx@archlinux.org> | |
| Cc: | Jonas Witschel <diabonas@archlinux.org> |
Arch Linux Security Advisory ASA-202105-27 ========================================== Severity: Low Date : 2021-05-25 CVE-ID : CVE-2021-3520 Package : lz4 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1889 Summary ======= The package lz4 before version 1:1.9.3-2 is vulnerable to denial of service. Resolution ========== Upgrade to 1:1.9.3-2. # pacman -Syu "lz4>=1:1.9.3-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A vulnerability was found in lz4, where a potential memory corruption due to an integer overflow bug caused one of the memmove arguments to become negative. Depending on how the library was compiled this will hit an assert() inside the library and dump core, leaving a 4GB core file, or it wil go into libc and crash inside the memmove() function. Impact ====== A crafted lz4 file can lead to an application crash, potentially creating a large core dump file. References ========== https://bugs.archlinux.org/task/70970 https://bugzilla.redhat.com/show_bug.cgi?id=1954559 https://github.com/lz4/lz4/pull/972 https://github.com/lz4/lz4/commit/8301a21773ef61656225e26... https://security.archlinux.org/CVE-2021-3520