Subject: [ASA-202105-27] lz4: denial of service Arch Linux Security Advisory ASA-202105-27 ========================================== Severity: Low Date : 2021-05-25 CVE-ID : CVE-2021-3520 Package : lz4 Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1889 Summary ======= The package lz4 before version 1:1.9.3-2 is vulnerable to denial of service. Resolution ========== Upgrade to 1:1.9.3-2. # pacman -Syu "lz4>=1:1.9.3-2" The problem has been fixed upstream but no release is available yet. Workaround ========== None. Description =========== A vulnerability was found in lz4, where a potential memory corruption due to an integer overflow bug caused one of the memmove arguments to become negative. Depending on how the library was compiled this will hit an assert() inside the library and dump core, leaving a 4GB core file, or it wil go into libc and crash inside the memmove() function. Impact ====== A crafted lz4 file can lead to an application crash, potentially creating a large core dump file. References ========== https://bugs.archlinux.org/task/70970 https://bugzilla.redhat.com/show_bug.cgi?id=1954559 https://github.com/lz4/lz4/pull/972 https://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7 https://security.archlinux.org/CVE-2021-3520