Bug 1765316 (CVE-2019-17543)

Summary: CVE-2019-17543 lz4: heap-based buffer overflow in LZ4_write32
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apevec, eglynn, igor.raits, jamartis, jjoyce, jschluet, lhh, lpeer, lsvaty, mburns, mgarciac, pgrist, pj.pandit, sclewis, slinaber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: lz4 1.9.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:13:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1765317, 1765318, 1791798, 1791799    
Bug Blocks: 1765319    

Description Guilherme de Almeida Suckevicz 2019-10-24 19:35:56 UTC 
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

Reference:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941

Upstream patches:
https://github.com/lz4/lz4/pull/756
https://github.com/lz4/lz4/pull/760
Comment 1 Guilherme de Almeida Suckevicz 2019-10-24 19:36:12 UTC 
Created lz4 tracking bugs for this issue:

Affects: epel-6 [bug 1765318]
Affects: fedora-all [bug 1765317]
Comment 3 Joshua Padman 2019-11-11 01:48:16 UTC 
Statement:

Red Hat OpenStack Platform 10 packages an older version of lz4 that has the flawed code. However, because OpenStack has been using RHEL's updated lz4 version since RHEL7.5 started to include it, Red Hat is not currently updating the OpenStack lz4 package.
Comment 4 Huzaifa S. Sidhpurwala 2020-01-16 13:46:18 UTC 
As per upstream:

Actually, in most systems, including the lz4 frame format and API, the bug is just out of reach. That's what makes it so difficult to discover, and since it also requires multiple uncommon constraints on the encoder side, which are out of direct control from an external actor (in contrast with the payload), this bug is rarely "reachable", making it a poor exploit vector.

Note that the CLI is immune to this bug, as it does not present the required constraints to be exposed, hence the suggested reproduction command lz4 -1 -l outfile should not work. The CLI is considered safe, for all versions. It's only a few specific / uncommon usages of the API which are at risk.

We invite all users of LZ4 to upgrade to v1.9.2, to reduce exposure to risks, but the risk is low : specifically, the lz4 CLI is safe, and all "common" usages of the API (covered by the documentation) are safe too.
Comment 5 Huzaifa S. Sidhpurwala 2020-01-16 13:46:59 UTC 
Upstream patchset:

https://github.com/lz4/lz4/pull/756/commits/13a2d9e34ffc4170720ce417c73e396d0ac1471a
https://github.com/lz4/lz4/pull/760/commits/7c32101c655d93b61fc212dcd512b87119dd7333