--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,iwamatsu@debian.org
Hi Release team,
Please unblock package lz4
The maintainer of lz4 (X-Debbugs-CC'ed) fixed in unstable the
CVE-2021-3520 issue, tracked as well as #987856, which got in
meanwhile as well adressed in buster via DSA 4919-1. So we should make
sure the fix goes as well to bullseye to not cause a (security)
regression from buster to bullseye.
Attaching the full debdiff. Note I'm not the uploader for unstable, so
serving here with the security team perspective to get CVE-2021-3520
fixed in bullseye and void a regression.
Regards,
Salvatore
diff -Nru lz4-1.9.3/debian/changelog lz4-1.9.3/debian/changelog
--- lz4-1.9.3/debian/changelog 2020-11-30 22:07:12.000000000 +0100
+++ lz4-1.9.3/debian/changelog 2021-05-05 09:29:57.000000000 +0200
@@ -1,3 +1,11 @@
+lz4 (1.9.3-2) unstable; urgency=medium
+
+ * Fix CVE-2021-3520. (Closes: #987856)
+ - This fixed potential memory corruption with negative memmove() size.
+ - Add d/patches/0005-CVE-2021-3520.patch
+
+ -- Nobuhiro Iwamatsu <iwamatsu@debian.org> Wed, 05 May 2021 16:29:57 +0900
+
lz4 (1.9.3-1) unstable; urgency=medium
* New upstream release.
diff -Nru lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch
--- lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch 1970-01-01 01:00:00.000000000 +0100
+++ lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch 2021-05-05 09:29:57.000000000 +0200
@@ -0,0 +1,25 @@
+From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
+From: Jasper Lievisse Adriaanse <j@jasper.la>
+Date: Fri, 26 Feb 2021 15:21:20 +0100
+Subject: [PATCH] Fix potential memory corruption with negative memmove() size
+
+---
+ lib/lz4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/lz4.c b/lib/lz4.c
+index 5f524d0..c2f504e 100644
+--- a/lib/lz4.c
++++ b/lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+ const size_t dictSize /* note : = 0 if noDict */
+ )
+ {
+- if (src == NULL) { return -1; }
++ if ((src == NULL) || (outputSize < 0)) { return -1; }
+
+ { const BYTE* ip = (const BYTE*) src;
+ const BYTE* const iend = ip + srcSize;
+--
+2.30.0
+
diff -Nru lz4-1.9.3/debian/patches/series lz4-1.9.3/debian/patches/series
--- lz4-1.9.3/debian/patches/series 2020-11-30 22:07:12.000000000 +0100
+++ lz4-1.9.3/debian/patches/series 2021-05-05 09:29:57.000000000 +0200
@@ -2,3 +2,4 @@
0002-Fix-static-link.patch
0003-Ignore-test.patch
0004-change-optimize.patch
+0005-CVE-2021-3520.patch
--- End Message ---