Bug 25805

Done!

Advisory:
========================

Updated lz4 packages fix security vulnerability:

Heap-based buffer overflow in LZ4_write32 (CVE-2019-17543).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543
https://lists.opensuse.org/opensuse-updates/2019-10/msg00171.html
========================

Updated packages in core/updates_testing:
========================
liblz4-devel-1.9.2-1.mga7
liblz4-static-devel-1.9.2-1.mga7
liblz4_1-1.9.2-1.mga7

from lz4-1.9.2-1.mga7.src.rpm

Assignee: geiger.david68210 => qa-bugs
CC: (none) => geiger.david68210

Installed and tested without issue.

Tests:
- creating a lz4 compressed fs using the mksquashfs command from the squashfs-tools;
- creating a database table compressed with lz4, in a innodb database, in a mariadb database server;

Note: The lz4 command in the lz4 package does not seem to use the lz4 library so I'm not including it in the tests.


System: Mageia 7, x86_64, Intel CPU.


$ uname -a
Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep lz4
lib64lz4-devel-1.9.2-1.mga7
liblz4_1-1.9.2-1.mga7
lib64lz4_1-1.9.2-1.mga7
lz4-1.9.2-1.mga7
$ mksquashfs ~/tmp /tmp/test.squash -comp lz4
Parallel mksquashfs: Using 4 processors
Creating 4.0 filesystem on /tmp/test.squash, block size 131072.


Exportable Squashfs 4.0 filesystem, lz4 compressed, data block size 131072
        compressed data, compressed metadata, compressed fragments, compressed xattrs
        duplicates are removed
<SNIP>
$ grep liblz4 lz4.log 
openat(AT_FDCWD, "/lib64/liblz4.so.1", O_RDONLY|O_CLOEXEC) = 3

CC: (none) => mageia
Whiteboard: (none) => MGA7-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0375.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED