Bug 28990

Done for Cauldron, mga8 and mga7!

Assigning to DavidG as having already done it!

CC: geiger.david68210 => (none)
Assignee: bugsquad => geiger.david68210

Updated packages in core/updates_testing:
lz4-1.9.2-1.1.mga7
liblz4-devel-1.9.2-1.1.mga7
liblz4-static-devel-1.9.2-1.1.mga7
liblz4_1-1.9.2-1.1.mga7
lz4-1.9.3-1.1.mga8
liblz4-static-devel-1.9.3-1.1.mga8
liblz4_1-1.9.3-1.1.mga8
liblz4-devel-1.9.3-1.1.mga8

from SRPMS:
lz4-1.9.2-1.1.mga7.src.rpm
lz4-1.9.3-1.1.mga8.src.rpm

CC: (none) => geiger.david68210
Status comment: Patch available from upstream => (none)
Assignee: geiger.david68210 => qa-bugs
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

MGA7 - 64bit

The following 3 packages are going to be installed:

- lib64lz4-devel-1.9.2-1.1.mga7.x86_64
- lib64lz4_1-1.9.2-1.1.mga7.x86_64
- lz4-1.9.2-1.1.mga7.x86_64

compressed a text file

$ lz4 -12 kerneldesktop510141.txt
Compressed filename will be : kerneldesktop510141.txt.lz4 
kerneldesktop510141.txt.lz4 already exists; do you wish to overwrite (y/N) ? y
                                                                             Compressed 381 bytes into 223 bytes ==> 58.53%


Decompressed

$ lz4 -d kerneldesktop510141.txt.lz4
Decoding file kerneldesktop510141.txt 
kerneldesktop510141.txt already exists; do you wish to overwrite (y/N) ? y
                                                                             kerneldesktop510141. : decoded 381 bytes


confirmed the text file looks fine.

CC: (none) => brtians1
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

MGA8 - 64

The following 4 packages are going to be installed:

- lib64lz4-devel-1.9.3-1.1.mga8.x86_64
- lib64lz4-static-devel-1.9.3-1.1.mga8.x86_64
- lib64lz4_1-1.9.3-1.1.mga8.x86_64
- lz4-1.9.3-1.1.mga8.x86_64

2.4MB of additional disk space will be used.


$ lz4 -12 lz4_installed
Compressed filename will be : lz4_installed.lz4 
Compressed 248 bytes into 185 bytes ==> 74.60%


$ lz4 -d lz4_installed.lz4
Decoding file lz4_installed 
lz4_installed already exists; do you wish to overwrite (y/N) ? y
lz4_installed.lz4    : decoded 248 bytes 

cat'd the file it looks fine.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-Ok

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Advisory:
========================

Updated lz4 packages fix a security vulnerability:

An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well (CVE-2021-3520).

References:
- https://bugs.mageia.org/show_bug.cgi?id=28990
- https://www.debian.org/security/2021/dsa-4919
- https://ubuntu.com/security/notices/USN-4968-1
========================

Updated packages in 7/core/updates_testing:
========================
lz4-1.9.2-1.1.mga7
lib(64)lz4-devel-1.9.2-1.1.mga7
lib(64)lz4-static-devel-1.9.2-1.1.mga7
lib(64)lz4_1-1.9.2-1.1.mga7

from SRPM:
lz4-1.9.2-1.1.mga7.src.rpm

========================

Updated packages in 8/core/updates_testing:
========================
lz4-1.9.3-1.1.mga8
lib(64)lz4-static-devel-1.9.3-1.1.mga8
lib(64)lz4_1-1.9.3-1.1.mga8
lib(64)lz4-devel-1.9.3-1.1.mga8

from SRPM:
lz4-1.9.3-1.1.mga8.src.rpm

CC: (none) => ouaurelien
CVE: (none) => CVE-2021-3520
Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0229.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED