Bug 1765316 (CVE-2019-17543) - CVE-2019-17543 lz4: heap-based buffer overflow in LZ4_write32
Summary: CVE-2019-17543 lz4: heap-based buffer overflow in LZ4_write32
Keywords:
Status: NEW
Alias: CVE-2019-17543
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1765317 1765318 1791798 1791799
Blocks: 1765319
TreeView+ depends on / blocked
 
Reported: 2019-10-24 19:35 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-07-09 17:18 UTC (History)
11 users (show)

Fixed In Version: lz4 1.9.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-10-24 19:35:56 UTC
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

Reference:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941

Upstream patches:
https://github.com/lz4/lz4/pull/756
https://github.com/lz4/lz4/pull/760

Comment 1 Guilherme de Almeida Suckevicz 2019-10-24 19:36:12 UTC
Created lz4 tracking bugs for this issue:

Affects: epel-6 [bug 1765318]
Affects: fedora-all [bug 1765317]

Comment 3 Joshua Padman 2019-11-11 01:48:16 UTC
Statement:

Red Hat OpenStack Platform 10 packages an older version of lz4 that has the flawed code. However, because OpenStack has been using RHEL's updated lz4 version since RHEL7.5 started to include it, Red Hat is not currently updating the OpenStack lz4 package.

Comment 4 Huzaifa S. Sidhpurwala 2020-01-16 13:46:18 UTC
As per upstream:

Actually, in most systems, including the lz4 frame format and API, the bug is just out of reach. That's what makes it so difficult to discover, and since it also requires multiple uncommon constraints on the encoder side, which are out of direct control from an external actor (in contrast with the payload), this bug is rarely "reachable", making it a poor exploit vector.

Note that the CLI is immune to this bug, as it does not present the required constraints to be exposed, hence the suggested reproduction command lz4 -1 -l outfile should not work. The CLI is considered safe, for all versions. It's only a few specific / uncommon usages of the API which are at risk.

We invite all users of LZ4 to upgrade to v1.9.2, to reduce exposure to risks, but the risk is low : specifically, the lz4 CLI is safe, and all "common" usages of the API (covered by the documentation) are safe too.


Note You need to log in before you can comment on or make changes to this bug.