Bug#988952: unblock: lz4/1.9.3-2

Salvatore Bonaccorso Fri, 21 May 2021 13:06:26 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: car...@debian.org,iwama...@debian.org


Hi Release team,

Please unblock package lz4

The maintainer of lz4 (X-Debbugs-CC'ed) fixed in unstable the
CVE-2021-3520 issue, tracked as well as #987856, which got in
meanwhile as well adressed in buster via DSA 4919-1. So we should make
sure the fix goes as well to bullseye to not cause a (security)
regression from buster to bullseye.

Attaching the full debdiff. Note I'm not the uploader for unstable, so
serving here with the security team perspective to get CVE-2021-3520
fixed in bullseye and void a regression.

Regards,
Salvatore

diff -Nru lz4-1.9.3/debian/changelog lz4-1.9.3/debian/changelog
--- lz4-1.9.3/debian/changelog  2020-11-30 22:07:12.000000000 +0100
+++ lz4-1.9.3/debian/changelog  2021-05-05 09:29:57.000000000 +0200
@@ -1,3 +1,11 @@
+lz4 (1.9.3-2) unstable; urgency=medium
+
+  * Fix CVE-2021-3520. (Closes: #987856)
+    - This fixed potential memory corruption with negative memmove() size.
+    - Add d/patches/0005-CVE-2021-3520.patch
+
+ -- Nobuhiro Iwamatsu <iwama...@debian.org>  Wed, 05 May 2021 16:29:57 +0900
+
 lz4 (1.9.3-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch 
lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch
--- lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch   1970-01-01 
01:00:00.000000000 +0100
+++ lz4-1.9.3/debian/patches/0005-CVE-2021-3520.patch   2021-05-05 
09:29:57.000000000 +0200
@@ -0,0 +1,25 @@
+From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001
+From: Jasper Lievisse Adriaanse <j...@jasper.la>
+Date: Fri, 26 Feb 2021 15:21:20 +0100
+Subject: [PATCH] Fix potential memory corruption with negative memmove() size
+
+---
+ lib/lz4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/lz4.c b/lib/lz4.c
+index 5f524d0..c2f504e 100644
+--- a/lib/lz4.c
++++ b/lib/lz4.c
+@@ -1749,7 +1749,7 @@ LZ4_decompress_generic(
+                  const size_t dictSize         /* note : = 0 if noDict */
+                  )
+ {
+-    if (src == NULL) { return -1; }
++    if ((src == NULL) || (outputSize < 0)) { return -1; }
+ 
+     {   const BYTE* ip = (const BYTE*) src;
+         const BYTE* const iend = ip + srcSize;
+-- 
+2.30.0
+
diff -Nru lz4-1.9.3/debian/patches/series lz4-1.9.3/debian/patches/series
--- lz4-1.9.3/debian/patches/series     2020-11-30 22:07:12.000000000 +0100
+++ lz4-1.9.3/debian/patches/series     2021-05-05 09:29:57.000000000 +0200
@@ -2,3 +2,4 @@
 0002-Fix-static-link.patch
 0003-Ignore-test.patch
 0004-change-optimize.patch
+0005-CVE-2021-3520.patch

Bug#988952: unblock: lz4/1.9.3-2

Reply via email to