CVE-2019-17543

Published: 14 October 2019

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

Priority

CVSS 3 base score: 8.1

Status

Package	Release	Status
lz4 Launchpad, Ubuntu, Debian	Upstream	Released (1.9.2-1)

	Ubuntu 20.10 (Groovy Gorilla)	Not vulnerable (1.9.2-2)
	Ubuntu 20.04 LTS (Focal Fossa)	Not vulnerable (1.9.2-2)
	Ubuntu 18.04 LTS (Bionic Beaver)	Needed
	Ubuntu 16.04 LTS (Xenial Xerus)	Needed
	Ubuntu 14.04 ESM (Trusty Tahr)	Needs triage

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543
https://github.com/lz4/lz4/pull/756
https://github.com/lz4/lz4/pull/760
https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2
NVD
Launchpad
Debian

Bugs

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=943680

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM