1. Forum
  2. Usenet
  3. LINUX.GENTOO.ANNOUNCE

  • [gentoo-announce] [ GLSA 202406-04 ] LZ4: Memory Corruption

    From glsamaker@gentoo.org@21:1/5 to All on Sat Jun 22 10:10:01 2024
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 202406-04
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    https://security.gentoo.org/
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Severity: Normal
    Title: LZ4: Memory Corruption
    Date: June 22, 2024
    Bugs: #791952
    ID: 202406-04

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    A vulnerability has been discovered in LZ4, which can lead to memory corruption.

    Background
    ==========

    LZ4 is a lossless compression algorithm, providing compression speed >
    500 MB/s per core, scalable with multi-cores CPU. It features an
    extremely fast decoder, with speed in multiple GB/s per core, typically reaching RAM speed limits on multi-core systems.

    Affected packages
    =================

    Package Vulnerable Unaffected
    ------------ ------------ ------------
    app-arch/lz4 < 1.9.3-r1 >= 1.9.3-r1

    Description
    ===========

    An attacker who submits a crafted file to an application linked with lz4
    may be able to trigger an integer overflow, leading to calling of
    memmove() on a negative size argument, causing an out-of-bounds write
    and/or a crash.

    Impact
    ======

    The greatest impact of this flaw is to availability, with some potential
    impact to confidentiality and integrity as well.

    Workaround
    ==========

    There is no known workaround at this time.

    Resolution
    ==========

    All LZ4 users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-arch/lz4-1.9.3-r1"

    References
    ==========

    [ 1 ] CVE-2021-3520
    https://nvd.nist.gov/vuln/detail/CVE-2021-3520

    Availability
    ============

    This GLSA and any updates to it are available for viewing at
    the Gentoo Security Website:

    https://security.gentoo.org/glsa/202406-04

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users' machines is of utmost
    importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

    License
    =======

    Copyright 2024 Gentoo Foundation, Inc; referenced text
    belongs to its owner(s).

    The contents of this document are licensed under the
    Creative Commons - Attribution / Share Alike license.

    https://creativecommons.org/licenses/by-sa/2.5
    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmZ2hVcACgkQFMQkOaVy +9mYrxAAmog0KFkIirh0c062za+WWO3ZMHCtacHSIn8xajqPCb/wziAVHQomSJKG MyPDbAt/7SRJz8Kuzd6k/wyt8/NtAj5ZNgJXDK1XvCGmnk19y1ZRmnMhAo53P6Ji jl8k93hIwVLos0XVuhT9I5AYhuoq+C7NhhYHSKBjg2aaNLA7P17nj9dSP+Bkn0H1 mWhHPwOqPYwJLUzl6LJ/5E7OljIezHOw36Pr0W9D/Gtk78awwl21EXbAKLcIftj6 evJhNw89/wjcA4HlTbmxlAJaPxVJymsdobZCsOw1E1R8HlCtoghD9+BKQ+3LoOiz O1oAfQU85qPXeCVLEB0UESB1T1v+P9YChBM6gU2kdxGAKtMvAKDXYLCSoaLiSCnb y5JVOBBbfkEQpPrivODCQ+rI/RJHv4PKVPk3UCVn6357e/LU9UahNR3d2oDr07ZU 8nzFb7gGhkSgkvfCpfcOZL7x//b846G6AxB65zbD97zCmFjKYIA0ne8IXfgZt0h8 b5FcyqTWmx8LKMH/DPmaLsZO5R3VF9oq4ywxztzzqclWh1UCuocbIai232jzWi78 3exR+9uwe6zg1YbUZnHB9Dbp/rYncoi77U0HxDiQGQygPjRUx6ggZOSVFdm0bAiQ QIaQEnzl2YcNVXIn65GDi1KclgyvWTe0GcQKkZURjYY/Gju6SLY=
    =MJ5A
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)