Candidate: CVE-2019-17543
PublicDate: 2019-10-14 02:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543
 https://github.com/lz4/lz4/pull/756
 https://github.com/lz4/lz4/pull/760
 https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2
Description:
 LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related
 to LZ4_compress_destSize), affecting applications that call
 LZ4_compress_fast with a large input. (This issue can also lead to data
 corruption.) NOTE: the vendor states "only a few specific / uncommon usages
 of the API are at risk."
Ubuntu-Description:
Notes:
 mdeslaur> code is different in bionic and earlier, no indication that it
 mdeslaur> is vulnerable to this issue.
Mitigation:
Bugs:
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_lz4:
 upstream: https://github.com/lz4/lz4/commit/690009e2c2f9e5dcb0d40e7c0c40610ce6006eda (pre)
 upstream: https://github.com/lz4/lz4/commit/6bc6f836a18d1f8fd05c8fc2b42f1d800bc25de1
 upstream: https://github.com/lz4/lz4/commit/13a2d9e34ffc4170720ce417c73e396d0ac1471a
upstream_lz4: released (1.9.2-1)
precise/esm_lz4: DNE
trusty_lz4: ignored (out of standard support)
trusty/esm_lz4: not-affected (0.0~r114-2ubuntu1)
xenial_lz4: ignored (end of standard support, was needed)
esm-infra/xenial_lz4: not-affected (0.0~r131-2ubuntu2)
bionic_lz4: not-affected (0.0~r131-2ubuntu3.1)
disco_lz4: ignored (reached end-of-life)
eoan_lz4: ignored (reached end-of-life)
focal_lz4: not-affected (1.9.2-2)
groovy_lz4: not-affected (1.9.2-2)
hirsute_lz4: not-affected (1.9.2-2)
impish_lz4: not-affected (1.9.2-2)
jammy_lz4: not-affected (1.9.2-2)
devel_lz4: not-affected (1.9.2-2)