blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data. Reference: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26442 Upstream patch: https://github.com/Blosc/c-blosc2/commit/c4c6470e88210afc95262c8b9fcc27e30ca043ee
Created blosc tracking bugs for this issue: Affects: epel-all [bug 1903234] Affects: fedora-all [bug 1903233] Affects: openstack-rdo [bug 1903235]
Statement: OpenShift Container Platform (OCP) 4 temporarily shipped one version of the blosc package in OCP 4.3.0. Updates to the blosc package, which is used in the ironic-hardware-inventory-recorder-image container are consumed from OpenStack Platform 16 repositories. In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP blosc package.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-29367