Arch Linux 809 Published by

A lz4 security update has been released for Arch Linux.



ASA-202105-27: lz4: denial of service


Arch Linux Security Advisory ASA-202105-27
=========================================
Severity: Low
Date : 2021-05-25
CVE-ID : CVE-2021-3520
Package : lz4
Type : denial of service
Remote : Yes
Link :   https://security.archlinux.org/AVG-1889

Summary
======
The package lz4 before version 1:1.9.3-2 is vulnerable to denial of
service.

Resolution
=========
Upgrade to 1:1.9.3-2.

# pacman -Syu "lz4>=1:1.9.3-2"

The problem has been fixed upstream but no release is available yet.

Workaround
=========
None.

Description
==========
A vulnerability was found in lz4, where a potential memory corruption
due to an integer overflow bug caused one of the memmove arguments to
become negative. Depending on how the library was compiled this will
hit an assert() inside the library and dump core, leaving a 4GB core
file, or it wil go into libc and crash inside the memmove() function.

Impact
=====
A crafted lz4 file can lead to an application crash, potentially
creating a large core dump file.

References
=========
  https://bugs.archlinux.org/task/70970
  https://bugzilla.redhat.com/show_bug.cgi?id54559
  https://github.com/lz4/lz4/pull/972
  https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
  https://security.archlinux.org/CVE-2021-3520