Stay Secure with the Latest Linux Advisories

security advisorydenial of servicepackage update

Arch Linux 2021-05-25 Low Severity Advisory: LZ4 DoS Issue

The package lz4 before version 1:1.9.3-2 is vulnerable to denial of service. . Arch Linux Security Advisory ASA-202105-27 ========================================= Severity: Low Date : 2021-05-25 CVE-ID : CVE-2021-3520 Package : lz4 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1889 Summary ====== The package lz4 before version 1:1.9.3-2 is vulnerable to denial of service. Resolution ========= Upgrade to 1:1.9.3-2. # pacman -Syu "lz4> =1:1.9.3-2" The problem has been fixed upstream but no release is available yet. Workaround ========= None. Description ========== A vulnerability was found in lz4, where a potential memory corruption due to an integer overflow bug caused one of the memmove arguments to become negative. Depending on how the library was compiled this will hit an assert() inside the library and dump core, leaving a 4GB core file, or it wil go into libc and crash inside the memmove() function. Impact ===== A crafted lz4 file can lead to an application crash, potentially creating a large core dump file. References ========= https://bugs.archlinux.org/task/70970 https://bugzilla.redhat.com/show_bug.cgi?id=1954559 https://github.com/lz4/lz4/pull/972 https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 https://security.archlinux.org/CVE-2021-3520 . Debian Security Notice: lz4 flaw identified that could cause program failure. Immediate update suggested to reduce threat.. lz4 Package Update, Arch Linux Security, Denial Of Service, Memory Corruption, Low Severity Advisory. . Severity: Low. LinuxSecurity.com Team

May 26, 2021 •Low ArchLinux