Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2019-17543 of Lz4(v1.7.6) detected by BDBA scan #2598

Closed
chensuyue opened this issue Nov 1, 2019 · 2 comments · Fixed by #2600
Closed

CVE-2019-17543 of Lz4(v1.7.6) detected by BDBA scan #2598

chensuyue opened this issue Nov 1, 2019 · 2 comments · Fixed by #2600

Comments

@chensuyue
Copy link

Could you please update lz4 version to v1.9.2, to fix this CVE.

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
(https://nvd.nist.gov/vuln/detail/CVE-2019-17543)
@edenhill edenhill mentioned this issue Nov 1, 2019
Merged
@chuanqi129
Copy link

Hi @edenhill, may I know the release date of 1.2.2 version? Thanks

@edenhill
Copy link
Contributor

It will be released later today, thanks for your patience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump lz4 1.9.2 for CVE-2019-17543 confluentinc/librdkafka
3 participants
@edenhill @chuanqi129 @chensuyue