Security
Headlines
HeadlinesLatestCVEs

Headline

Gentoo Linux Security Advisory 202406-04

Gentoo Linux Security Advisory 202406-4 - A vulnerability has been discovered in LZ4, which can lead to memory corruption. Versions greater than or equal to 1.9.3-r1 are affected.

Packet Storm
#vulnerability#web#mac#linux#ssl

Gentoo Linux Security Advisory GLSA 202406-04


                                       https://security.gentoo.org/  

Severity: Normal
Title: LZ4: Memory Corruption
Date: June 22, 2024
Bugs: #791952
ID: 202406-04


Synopsis

A vulnerability has been discovered in LZ4, which can lead to memory
corruption.

Background

LZ4 is a lossless compression algorithm, providing compression speed >
500 MB/s per core, scalable with multi-cores CPU. It features an
extremely fast decoder, with speed in multiple GB/s per core, typically
reaching RAM speed limits on multi-core systems.

Affected packages

Package Vulnerable Unaffected


app-arch/lz4 < 1.9.3-r1 >= 1.9.3-r1

Description

An attacker who submits a crafted file to an application linked with lz4
may be able to trigger an integer overflow, leading to calling of
memmove() on a negative size argument, causing an out-of-bounds write
and/or a crash.

Impact

The greatest impact of this flaw is to availability, with some potential
impact to confidentiality and integrity as well.

Workaround

There is no known workaround at this time.

Resolution

All LZ4 users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=app-arch/lz4-1.9.3-r1”

References

[ 1 ] CVE-2021-3520
https://nvd.nist.gov/vuln/detail/CVE-2021-3520

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202406-04

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Related news

Red Hat Security Advisory 2022-5924-01

Red Hat Security Advisory 2022-5924-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring.

CVE-2022-25357: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.

CVE-2022-26656: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.

CVE-2022-27934: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.

CVE-2022-27928: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

CVE-2022-27933: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.

CVE-2022-27936: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.

CVE-2022-27937: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.

CVE-2022-27931: Pexip security bulletins | Pexip Infinity Docs

Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.

RHEA-2021:3941: Red Hat Enhancement Advisory: OpenShift Sandboxed Containers 1.1.0 update

An update to OpenShift sandboxed containers 1.1.0 is now available.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-34558: golang: crypto/tls: certificate of wrong type is causing TLS client to panic

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution