Arch Linux Security Advisory ASA-202105-27

Severity: Low
Date : 2021-05-25
CVE-ID : CVE-2021-3520
Package : lz4
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1889

Summary

The package lz4 before version 1:1.9.3-2 is vulnerable to denial of
service.

Resolution

Upgrade to 1:1.9.3-2.

pacman -Syu “lz4>=1:1.9.3-2”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

A vulnerability was found in lz4, where a potential memory corruption
due to an integer overflow bug caused one of the memmove arguments to
become negative. Depending on how the library was compiled this will
hit an assert() inside the library and dump core, leaving a 4GB core
file, or it wil go into libc and crash inside the memmove() function.

Impact

A crafted lz4 file can lead to an application crash, potentially
creating a large core dump file.

References

https://bugs.archlinux.org/task/70970
https://bugzilla.redhat.com/show_bug.cgi?id=1954559
https://github.com/lz4/lz4/pull/972
https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
https://security.archlinux.org/CVE-2021-3520