ArchLinux: 202105-27: lz4: denial of service
Summary
A vulnerability was found in lz4, where a potential memory corruption due to an integer overflow bug caused one of the memmove arguments to become negative. Depending on how the library was compiled this will hit an assert() inside the library and dump core, leaving a 4GB core file, or it wil go into libc and crash inside the memmove() function.
Resolution
Upgrade to 1:1.9.3-2.
# pacman -Syu "lz4>=1:1.9.3-2"
The problem has been fixed upstream but no release is available yet.
References
https://bugs.archlinux.org/task/70970 https://bugzilla.redhat.com/show_bug.cgi?id=1954559 https://github.com/lz4/lz4/pull/972 https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 https://security.archlinux.org/CVE-2021-3520
Workaround
None.