Lucene search

K
githubGitHub Advisory DatabaseGHSA-9Q5J-JM53-V7VR
HistorySep 01, 2022 - 10:24 p.m.

lz4-sys vulnerable to memory corruption via issue in liblz4

2022-09-0122:24:55
CWE-190
CWE-787
GitHub Advisory Database
github.com
13

lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to
CVE-2021-3520.

Attackers could craft a payload that triggers an integer overflow upon
decompression, causing an out-of-bounds write.

The flaw has been corrected in version v1.9.4 of liblz4, which is included
in lz4-sys 1.9.4.

CPENameOperatorVersion
lz4-syslt1.9.4