AMoo-Miki
commented
10 months ago Thanks Kris for the commit. Would love to see this included in a release.
Closed tech-run closed 7 months ago
AMoo-Miki
commented
10 months ago Thanks Kris for the commit. Would love to see this included in a release.
ananzh
commented
10 months ago Do we know when this could be released? Thanks.
kriszyp
commented
10 months ago Published in v2.8.5.
A vulnerability was found in lz4. lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to CVE-2021-3520. This vulnerability affects the function memmove. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash.
Risk: The manipulation of the argument size with an unknown input leads to a out-of-bounds write vulnerability. This will have an impact on availability, integrity and confidentiality
Links: CVE-2021-3520 https://www.mend.io/vulnerability-database/CVE-2021-3520