Bug 1879225 (CVE-2020-8927)
| Summary: | CVE-2020-8927 brotli: buffer overflow when input chunk is larger than 2GiB | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | andrew.slice, bodavis, carl, cmoore, dbhole, eclipseo, erack, fidencio, go-sig, kanderso, kaycoth, lvaleeva, omajid, pouar, rwagner, scorneli, tagoh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A buffer overflow flaw was found in the Brotli library where an attacker could control the input length of a "one-shot" decompression request to a script that can trigger a crash. This issue can happen when copying chunks of data larger than 2 GiB.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-05-18 14:35:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1886473, 1879226, 1879227, 1879228, 1879230, 1881156, 1886474, 2062014, 2062015, 2062016, 2062017, 2062018, 2062019, 2062020, 2062021 | ||
| Bug Blocks: | 1879229 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-09-15 17:54:33 UTC
Created brotli tracking bugs for this issue: Affects: epel-7 [bug 1879230] Affects: fedora-all [bug 1879226] Created golang-github-andybalholm-brotli tracking bugs for this issue: Affects: fedora-all [bug 1879228] Created mingw-brotli tracking bugs for this issue: Affects: fedora-all [bug 1879227] Mitigation: This flaw can be mitigated by using the Streaming API instead of the One-Shot API and imposing chunk size limitations. Anyone mind if I update Brotli to 1.0.9 in Fedora 32? because I'm not sure how to backport this to 1.0.7. I don't think anyone would mind a security update. Not sure why the Go-sig is CCed on this, for golang-github-andybalholm-brotli? In reply to comment #10: > Not sure why the Go-sig is CCed on this, for > golang-github-andybalholm-brotli? Yes. Go-sig is on the initialcc list for the component. (In reply to pouar from comment #9) > Anyone mind if I update Brotli to 1.0.9 in Fedora 32? because I'm not sure > how to backport this to 1.0.7. As far as I experienced it's not backportable at all if not using the decoder sources from 1.0.8 Be aware that starting from 1.0.8 all Java and Go related files and others are not part of the tarball anymore. I don't know if anything in F32 relies on those. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1702 https://access.redhat.com/errata/RHSA-2021:1702 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8927 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0830 https://access.redhat.com/errata/RHSA-2022:0830 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0827 https://access.redhat.com/errata/RHSA-2022:0827 This issue has been addressed in the following products: .NET Core on Red Hat Enterprise Linux Via RHSA-2022:0829 https://access.redhat.com/errata/RHSA-2022:0829 This issue has been addressed in the following products: .NET Core on Red Hat Enterprise Linux Via RHSA-2022:0828 https://access.redhat.com/errata/RHSA-2022:0828 |