PublicDateAtUSN: 2021-04-30 00:00:00 UTC
Candidate: CVE-2021-3520
PublicDate: 2021-06-02 13:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3520
 https://github.com/lz4/lz4/pull/972
 https://ubuntu.com/security/notices/USN-4968-1
 https://ubuntu.com/security/notices/USN-4968-2
Description:
 There's a flaw in lz4. An attacker who submits a crafted file to an
 application linked with lz4 may be able to trigger an integer overflow,
 leading to calling of memmove() on a negative size argument, causing an
 out-of-bounds write and/or a crash. The greatest impact of this flaw is to
 availability, with some potential impact to confidentiality and integrity
 as well.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987856
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_lz4:
 upstream: https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7
upstream_lz4: released (1.9.3-2)
precise/esm_lz4: DNE
trusty_lz4: ignored (out of standard support)
trusty/esm_lz4: released (0.0~r114-2ubuntu1+esm2)
xenial_lz4: ignored (end of standard support, was needs-triage)
esm-infra/xenial_lz4: released (0.0~r131-2ubuntu2+esm1)
bionic_lz4: released (0.0~r131-2ubuntu3.1)
focal_lz4: released (1.9.2-2ubuntu0.20.04.1)
groovy_lz4: released (1.9.2-2ubuntu0.20.10.1)
hirsute_lz4: released (1.9.3-1ubuntu0.1)
impish_lz4: not-affected (1.9.3-2)
jammy_lz4: not-affected (1.9.3-2)
devel_lz4: not-affected (1.9.3-2)