Bug#988952: unblock: lz4/1.9.3-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#988952: unblock: lz4/1.9.3-2
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 21 May 2021 22:02:34 +0200
Message-id: <[🔎] 162162735497.22982.8298215152709344346.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 988952@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,iwamatsu@debian.org

Hi Release team,

Please unblock package lz4

The maintainer of lz4 (X-Debbugs-CC'ed) fixed in unstable the
CVE-2021-3520 issue, tracked as well as #987856, which got in
meanwhile as well adressed in buster via DSA 4919-1. So we should make
sure the fix goes as well to bullseye to not cause a (security)
regression from buster to bullseye.

Attaching the full debdiff. Note I'm not the uploader for unstable, so
serving here with the security team perspective to get CVE-2021-3520
fixed in bullseye and void a regression.

Regards,
Salvatore

diff -Nru lz4-1.9.3/debian/changelog lz4-1.9.3/debian/changelog
--- lz4-1.9.3/debian/changelog	2020-11-30 22:07:12.000000000 +0100
+++ lz4-1.9.3/debian/changelog	2021-05-05 09:29:57.000000000 +0200
@@ -1,3 +1,11 @@
+lz4 (1.9.3-2) unstable; urgency=medium
+
+  * Fix CVE-2021-3520. (Closes: #987856)
+    - This fixed potential memory corruption with negative memmove() size.
+    - Add d/patches/0005-CVE-2021-3520.patch
+
+ -- Nobuhiro Iwamatsu <iwamatsu@debian.org>  Wed, 05 May 2021 16:29:57 +0900
+
 lz4 (1.9.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch
--- lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch	1970-01-01 01:00:00.000000000 +0100
+++ lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch	2021-05-05 09:29:57.000000000 +0200
@@ -0,0 +1,25 @@
+From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
+From: Jasper Lievisse Adriaanse <j@jasper.la>
+Date: Fri, 26 Feb 2021 15:21:20 +0100
+Subject: [PATCH] Fix potential memory corruption with negative memmove() size
+
+---
+ lib/lz4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/lz4.c b/lib/lz4.c
+index 5f524d0..c2f504e 100644
+--- a/lib/lz4.c
++++ b/lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+                  const size_t dictSize         /* note : = 0 if noDict */
+                  )
+ {
+-    if (src == NULL) { return -1; }
++    if ((src == NULL) || (outputSize < 0)) { return -1; }
+ 
+     {   const BYTE* ip = (const BYTE*) src;
+         const BYTE* const iend = ip + srcSize;
+-- 
+2.30.0
+
diff -Nru lz4-1.9.3/debian/patches/series lz4-1.9.3/debian/patches/series
--- lz4-1.9.3/debian/patches/series	2020-11-30 22:07:12.000000000 +0100
+++ lz4-1.9.3/debian/patches/series	2021-05-05 09:29:57.000000000 +0200
@@ -2,3 +2,4 @@
 0002-Fix-static-link.patch
 0003-Ignore-test.patch
 0004-change-optimize.patch
+0005-CVE-2021-3520.patch

Reply to:

Follow-Ups:
- Bug#988952: marked as done (unblock: lz4/1.9.3-2)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: Bug#988832: unblock: libx11/2:1.7.1-1
Next by Date: Bug#988910: marked as done (unblock: flent/2.0.0-3)
Previous by thread: Bug#988939: marked as done (unblock: whipper/0.9.0-7)
Next by thread: Bug#988952: marked as done (unblock: lz4/1.9.3-2)
Index(es):
- Date
- Thread