Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-17543

Published: 14 October 2019

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

Notes

AuthorNote
mdeslaur
code is different in bionic and earlier, no indication that it
is vulnerable to this issue.

Priority

Low

Cvss 3 Severity Score

8.1

Score breakdown

Status

Package Release Status
lz4
Launchpad, Ubuntu, Debian
hirsute Not vulnerable
(1.9.2-2)
xenial Not vulnerable
(0.0~r131-2ubuntu2)
jammy Not vulnerable
(1.9.2-2)
bionic Not vulnerable
(0.0~r131-2ubuntu3.1)
disco Ignored
(end of life)
eoan Ignored
(end of life)
focal Not vulnerable
(1.9.2-2)
groovy Not vulnerable
(1.9.2-2)
impish Not vulnerable
(1.9.2-2)
trusty Not vulnerable
(0.0~r114-2ubuntu1)
upstream
Released (1.9.2-1)
Patches:
upstream: https://github.com/lz4/lz4/commit/690009e2c2f9e5dcb0d40e7c0c40610ce6006eda (pre)
upstream: https://github.com/lz4/lz4/commit/6bc6f836a18d1f8fd05c8fc2b42f1d800bc25de1
upstream: https://github.com/lz4/lz4/commit/13a2d9e34ffc4170720ce417c73e396d0ac1471a

Severity score breakdown

Parameter Value
Base score 8.1
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H