- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 202406-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: LZ4: Memory Corruption
     Date: June 22, 2024
     Bugs: #791952
       ID: 202406-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A vulnerability has been discovered in LZ4, which can lead to memory
corruption.

Background
==========

LZ4 is a lossless compression algorithm, providing compression speed >
500 MB/s per core, scalable with multi-cores CPU. It features an
extremely fast decoder, with speed in multiple GB/s per core, typically
reaching RAM speed limits on multi-core systems.

Affected packages
=================

Package       Vulnerable    Unaffected
------------  ------------  ------------
app-arch/lz4  < 1.9.3-r1    >= 1.9.3-r1

Description
===========

An attacker who submits a crafted file to an application linked with lz4
may be able to trigger an integer overflow, leading to calling of
memmove() on a negative size argument, causing an out-of-bounds write
and/or a crash.

Impact
======

The greatest impact of this flaw is to availability, with some potential
impact to confidentiality and integrity as well.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All LZ4 users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=app-arch/lz4-1.9.3-r1"

References
==========

[ 1 ] CVE-2021-3520
      https://nvd.nist.gov/vuln/detail/CVE-2021-3520

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202406-04

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo: GLSA-202406-04: LZ4: Memory CorruptionSecurity Advisory Updates

A vulnerability has been discovered in LZ4, which can lead to memory corruption.

Summary

An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash.

Resolution

All LZ4 users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-arch/lz4-1.9.3-r1"

References

[ 1 ] CVE-2021-3520 https://nvd.nist.gov/vuln/detail/CVE-2021-3520

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202406-04

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
Severity: Normal
Title: LZ4: Memory Corruption
Date: June 22, 2024
Bugs: #791952
ID: 202406-04

Synopsis

A vulnerability has been discovered in LZ4, which can lead to memory corruption.

Background

LZ4 is a lossless compression algorithm, providing compression speed > 500 MB/s per core, scalable with multi-cores CPU. It features an extremely fast decoder, with speed in multiple GB/s per core, typically reaching RAM speed limits on multi-core systems.

Affected Packages

Package Vulnerable Unaffected ------------ ------------ ------------ app-arch/lz4 < 1.9.3-r1 >= 1.9.3-r1

Impact

The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

Workaround

There is no known workaround at this time.

Related News

14.Lock Code WorldMap Esm H170
2 - 4 min read
Government agencies are drawing attention to an issue plaguing open-source communities: memory-unsafe languages. A study entitled " Exploring Memory
11.Locks IsometricPattern Esm H170
2 - 3 min read
Cybersecurity threats continue to emerge regularly, and Promon's security team recently identified one such novel threat, Snowblind. This malware
32.Lock Code Circular Esm H170
2 - 4 min read
The Cybersecurity and Infrastructure Security Agency (CISA) recently added a new Linux kernel privilege escalation bug ( CVE-2024-1086 ) to its
6.EmailConnection Touch Esm H170
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
20.Lock AbstractDigital Circular Esm H170
2 - 3 min read
Google has released fixes for a high-severity Chromium security flaw ( CVE-2024-5274 ) impacting its widely used Chrome browser and other
20.Lock AbstractDigital Circular Esm H170
2 - 4 min read
The recent discovery of a backdoor in Linux's xz compression tool has shed light on cybercriminals' ingenious methods of gaining entry and remaining
19.Laptop Bed Esm H170
2 - 4 min read
Wordfence security researchers recently shed light on an infamous supply chain attack that may have affected as many as 36,000 WordPress websites.
32.Lock Code Circular Esm H170
3 - 5 min read
In the ever-evolving cybersecurity landscape, a new concern has come to light for Linux admins—a claimed zero-day vulnerability for Local Privilege

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved