PublicDateAtUSN: 2020-09-15 10:15:00 UTC
Candidate: CVE-2020-8927
PublicDate: 2020-09-15 10:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8927
 https://github.com/google/brotli/releases/tag/v1.0.9
 https://ubuntu.com/security/notices/USN-4568-1
Description:
 A buffer overflow exists in the Brotli library versions prior to 1.0.8
 where an attacker controlling the input length of a "one-shot"
 decompression request to a script can trigger a crash, which happens when
 copying over chunks of data larger than 2 GiB. It is recommended to update
 your Brotli library to 1.0.8 or later. If one cannot update, we recommend
 to use the "streaming" API as opposed to the "one-shot" API, and impose
 chunk size limits.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to: leosilva
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L [6.5 MEDIUM]


Patches_brotli:
 upstream: https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6
upstream_brotli: released (1.0.9-1)
precise/esm_brotli: DNE
trusty_brotli: ignored (out of standard support)
trusty/esm_brotli: DNE
xenial_brotli: released (1.0.3-1ubuntu1~16.04.2)
esm-infra/xenial_brotli: released (1.0.3-1ubuntu1~16.04.2)
bionic_brotli: released (1.0.3-1ubuntu1.3)
focal_brotli: released (1.0.7-6ubuntu0.1)
devel_brotli: released (1.0.9-2)