Critical (9.8) CVE-2021-3520 in lz4 v1.9.3 is statically compiled in librdkafka

[VaronisContributor]

The latest librdkafka version v2.2.0-RC1 uses lz4 1.9.3

#define LZ4_VERSION_MAJOR    1    /* for breaking interface changes  */
#define LZ4_VERSION_MINOR    9    /* for new (non-breaking) interface capabilities */
#define LZ4_VERSION_RELEASE  3    /* for tweaks, bug-fixes, or development */

lz4 v1.9.3 has a critical vulnerability - CVE-2021-3520.
It was fixed in lz4 1.9.4 in this commit: lz4/lz4@8301a21

It is a Critical Security Issue.

[VaronisContributor]

It looks like the fix was merged in 66d2d33
In this commit the LZ4 version should have been promoted to 1.9.4, but lz4.h was not merged for some reason.

[janjwerner-confluent]

The fix in the Confluent code mirrors the PR:
lz4/lz4#972
why is there a need to update lz4.h?

[VaronisContributor]

There is no "need" to update lz4.h

The case is that since you (librdkafka) merged some PRs from 1.9.4 but not all, you have a special version that is not mappable to any LZ4 release. Thus in the lz4.h you have the LZ4_VERSION_* defines which do not and cannot reflect the LZ4 version. You have something between 1.9.3 and 1.9.4, but none of these exactly.
For the integrity matter, I suggest considering one of the following actions:

1. Upmerge all the changes to the 1.9.4 release including lz4.h
2. Add #define LZ4_VERSION_PATCH with a comment regarding additional changes since 1.9.3 release.

Thank you.

[janjwerner-confluent]

resolved in #4726