[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#988952: marked as done (unblock: lz4/1.9.3-2)

Your message dated Fri, 21 May 2021 20:24:06 +0000
with message-id <E1lkBgk-0000Up-BF@respighi.debian.org>
and subject line unblock lz4
has caused the Debian Bug report #988952,
regarding unblock: lz4/1.9.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988952
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: carnil@debian.org,iwamatsu@debian.org

Hi Release team,

Please unblock package lz4

The maintainer of lz4 (X-Debbugs-CC'ed) fixed in unstable the
CVE-2021-3520 issue, tracked as well as #987856, which got in
meanwhile as well adressed in buster via DSA 4919-1. So we should make
sure the fix goes as well to bullseye to not cause a (security)
regression from buster to bullseye.

Attaching the full debdiff. Note I'm not the uploader for unstable, so
serving here with the security team perspective to get CVE-2021-3520
fixed in bullseye and void a regression.

Regards,
Salvatore

diff -Nru lz4-1.9.3/debian/changelog lz4-1.9.3/debian/changelog
--- lz4-1.9.3/debian/changelog	2020-11-30 22:07:12.000000000 +0100
+++ lz4-1.9.3/debian/changelog	2021-05-05 09:29:57.000000000 +0200
@@ -1,3 +1,11 @@
+lz4 (1.9.3-2) unstable; urgency=medium
+
+  * Fix CVE-2021-3520. (Closes: #987856)
+    - This fixed potential memory corruption with negative memmove() size.
+    - Add d/patches/0005-CVE-2021-3520.patch
+
+ -- Nobuhiro Iwamatsu <iwamatsu@debian.org>  Wed, 05 May 2021 16:29:57 +0900
+
 lz4 (1.9.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch
--- lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch	1970-01-01 01:00:00.000000000 +0100
+++ lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch	2021-05-05 09:29:57.000000000 +0200
@@ -0,0 +1,25 @@
+From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
+From: Jasper Lievisse Adriaanse <j@jasper.la>
+Date: Fri, 26 Feb 2021 15:21:20 +0100
+Subject: [PATCH] Fix potential memory corruption with negative memmove() size
+
+---
+ lib/lz4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/lz4.c b/lib/lz4.c
+index 5f524d0..c2f504e 100644
+--- a/lib/lz4.c
++++ b/lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+                  const size_t dictSize         /* note : = 0 if noDict */
+                  )
+ {
+-    if (src == NULL) { return -1; }
++    if ((src == NULL) || (outputSize < 0)) { return -1; }
+ 
+     {   const BYTE* ip = (const BYTE*) src;
+         const BYTE* const iend = ip + srcSize;
+-- 
+2.30.0
+
diff -Nru lz4-1.9.3/debian/patches/series lz4-1.9.3/debian/patches/series
--- lz4-1.9.3/debian/patches/series	2020-11-30 22:07:12.000000000 +0100
+++ lz4-1.9.3/debian/patches/series	2021-05-05 09:29:57.000000000 +0200
@@ -2,3 +2,4 @@
 0002-Fix-static-link.patch
 0003-Ignore-test.patch
 0004-change-optimize.patch
+0005-CVE-2021-3520.patch

--- End Message ---
--- Begin Message --- 
Unblocked.

--- End Message ---
Reply to: