GHSA-9q5j-jm53-v7vr: lz4-sys vulnerable to memory corruption via issue in liblz4

lz4-sys vulnerable to memory corruption via issue in liblz4

Critical severity GitHub Reviewed Published Sep 1, 2022

Package

cargo lz4-sys (Rust)

Affected versions

< 1.9.4

Patched versions

1.9.4

Description

lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to
CVE-2021-3520.

Attackers could craft a payload that triggers an integer overflow upon
decompression, causing an out-of-bounds write.

The flaw has been corrected in version v1.9.4 of liblz4, which is included
in lz4-sys 1.9.4.

References

• lz4/lz4#972
• https://rustsec.org/advisories/RUSTSEC-2022-0051.html

Severity

Critical

9.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE-190 CWE-787

CVE ID

No known CVE

GHSA ID

GHSA-9q5j-jm53-v7vr

Source code

No known source code

Checking history

See something to contribute? Suggest improvements for this vulnerability.