Headline
Gentoo Linux Security Advisory 202406-04
Gentoo Linux Security Advisory 202406-4 - A vulnerability has been discovered in LZ4, which can lead to memory corruption. Versions greater than or equal to 1.9.3-r1 are affected.
Gentoo Linux Security Advisory GLSA 202406-04
https://security.gentoo.org/
Severity: Normal
Title: LZ4: Memory Corruption
Date: June 22, 2024
Bugs: #791952
ID: 202406-04
Synopsis
A vulnerability has been discovered in LZ4, which can lead to memory
corruption.
Background
LZ4 is a lossless compression algorithm, providing compression speed >
500 MB/s per core, scalable with multi-cores CPU. It features an
extremely fast decoder, with speed in multiple GB/s per core, typically
reaching RAM speed limits on multi-core systems.
Affected packages
Package Vulnerable Unaffected
app-arch/lz4 < 1.9.3-r1 >= 1.9.3-r1
Description
An attacker who submits a crafted file to an application linked with lz4
may be able to trigger an integer overflow, leading to calling of
memmove() on a negative size argument, causing an out-of-bounds write
and/or a crash.
Impact
The greatest impact of this flaw is to availability, with some potential
impact to confidentiality and integrity as well.
Workaround
There is no known workaround at this time.
Resolution
All LZ4 users should upgrade to the latest version:
emerge --sync
emerge --ask --oneshot --verbose “>=app-arch/lz4-1.9.3-r1”
References
[ 1 ] CVE-2021-3520
https://nvd.nist.gov/vuln/detail/CVE-2021-3520
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202406-04
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
Red Hat Security Advisory 2022-5924-01 - Service Telemetry Framework provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform deployment for storage, retrieval, and monitoring.
Pexip Infinity 27.x before 27.2 has Improper Access Control. An attacker can sometimes join a conference (call join) if it has a lock but not a PIN.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort, and possibly enumerate usernames, via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.
Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
An update to OpenShift sandboxed containers 1.1.0 is now available.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-34558: golang: crypto/tls: certificate of wrong type is causing TLS client to panic