Описание
Security update for lz4
This update for lz4 fixes the following issues:
- CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).
- CVE-2019-17543: Fixed heap-based buffer overflow in LZ4_write32 (bsc#1153936).
Список пакетов
SUSE Linux Enterprise Software Development Kit 12 SP5
liblz4-1-1.8.0-3.3.1
Ссылки
- Link for SUSE-SU-2021:1613-1
- E-Mail link for SUSE-SU-2021:1613-1
- SUSE Security Ratings
- SUSE Bug 1153936
- SUSE Bug 1185438
- SUSE CVE CVE-2019-17543 page
- SUSE CVE CVE-2021-3520 page
Описание
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
Затронутые продукты
SUSE Linux Enterprise Software Development Kit 12 SP5:liblz4-1-1.8.0-3.3.1
Ссылки
- CVE-2019-17543
- SUSE Bug 1153936
- SUSE Bug 1188549
Описание
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.
Затронутые продукты
SUSE Linux Enterprise Software Development Kit 12 SP5:liblz4-1-1.8.0-3.3.1
Ссылки
- CVE-2021-3520
- SUSE Bug 1185438