[manjaro-security] [ASA-202105-27] lz4: denial of service
Jonas Witschel via arch-security
arch-security at lists.archlinux.org
Wed May 26 12:34:09 CEST 2021
Arch Linux Security Advisory ASA-202105-27
Date : 2021-05-25
CVE-ID : CVE-2021-3520
Package : lz4
Type : denial of service
Remote : Yes
Link : https://security.archlinux.org/AVG-1889
The package lz4 before version 1:1.9.3-2 is vulnerable to denial of
Upgrade to 1:1.9.3-2.
# pacman -Syu "lz4>=1:1.9.3-2"
The problem has been fixed upstream but no release is available yet.
A vulnerability was found in lz4, where a potential memory corruption
due to an integer overflow bug caused one of the memmove arguments to
become negative. Depending on how the library was compiled this will
hit an assert() inside the library and dump core, leaving a 4GB core
file, or it wil go into libc and crash inside the memmove() function.
A crafted lz4 file can lead to an application crash, potentially
creating a large core dump file.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the manjaro-security