Bug 2124187 (CVE-2019-11922)

Summary: CVE-2019-11922 zstd: race condition in one-pass compression functions that could allow out of bounds write
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: databases-maint, eglynn, hhorak, igor.raits, jamartis, jjoyce, jorton, lhh, ljavorsk, manisandro, mburns, mgarciac, mschorm, p, spower, xavier, xinghong.chen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability found in zstd. A race condition in the one-pass compression functions of Zstandard allows an attacker to write bytes out of bounds if an output buffer smaller than the recommended size is used.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-26 12:15:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2124189    

Description Sandipan Roy 2022-09-05 07:57:23 UTC 
=========================================================================
Ubuntu Security Notice USN-5593-1
September 01, 2022

libzstd vulnerability
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM

Summary:

Zstandard could be made to execute arbitrary code if it received specially
crafted input.

Software Description:
- libzstd: fast lossless compression algorithm

Details:

It was discovered that Zstandard incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 ESM:
  libzstd1                        1.3.1+dfsg-1~ubuntu0.16.04.1+esm2
  zstd                            1.3.1+dfsg-1~ubuntu0.16.04.1+esm2

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-5593-1
  CVE-2019-11922
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11922
Comment 1 Sandipan Roy 2022-09-14 08:39:23 UTC 
https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0
https://www.facebook.com/security/advisories/cve-2019-11922
Comment 2 Product Security DevOps Team 2022-11-26 12:14:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11922