Ubuntu has issued an advisory on August 21: https://usn.ubuntu.com/4108-1/ The issue is fixed upstream in 1.3.8.
Done!
CC: (none) => geiger.david68210
Advisory: ======================== Updated zstd packages fix security vulnerability: It was discovered that Zstandard incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code (CVE-2019-11922). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11922 https://usn.ubuntu.com/4108-1/ ======================== Updated packages in core/updates_testing: ======================== zstd-1.3.8-1.mga6 libzstd1-1.3.8-1.mga6 libzstd-devel-1.3.8-1.mga6 from zstd-1.3.8-1.mga6.src.rpm
Assignee: bugsquad => qa-bugs
mga6, x86_64 Explored the zstd options using the man page for reference. Updated the three packages to version 1.3.8. No reproducers for the CVE issue. Checked the man page for usage information. Tried the training mode on a directory of small files but could not really make much sense of it. $ zstd --train ruby/* ! Warning : data size of samples too small for target dictionary size ! Samples should be about 100x larger than target dictionary size Trying 5 different sets of parameters k=50 d=8 steps=4 Save dictionary of size 1040 into file dictionary More basic operations worked better. $ zstd -z * This generated 13 .zst files from the original 13. Test their integrity. $ zstd -t *.zst $ This may mean that the files are all OK. Compression has very little effect on small files. Moved the compressed files to a test directory. Original directory: $ ll .. total 60 -rw-r--r-- 1 lcl lcl 353 Mar 22 2018 addendum -rw-r--r-- 1 lcl lcl 2179 Mar 3 2019 clunker.cml -rw-r--r-- 1 lcl lcl 1576 Mar 22 2018 cutandpaste -rw-r--r-- 1 lcl lcl 1616 Mar 26 2018 getrepo -rwxr-xr-x 1 lcl lcl 248 Feb 19 2019 install-kodi* -rw-r--r-- 1 lcl lcl 110 Jul 18 10:17 iso-preparation -rw-r--r-- 1 lcl lcl 1298 Mar 23 2018 localrepo -rw-r--r-- 1 lcl lcl 6705 Mar 23 2018 localtest.1 -rw-r--r-- 1 lcl lcl 1876 Mar 21 2018 lxqt -rw-r--r-- 1 lcl lcl 1692 Mar 21 2018 lxqt.0 -rw-rw-r-- 1 lcl lcl 292 Mar 23 2018 martin -rw-r--r-- 1 lcl lcl 47 Mar 21 10:52 playlist -rw-r--r-- 1 lcl lcl 158 Feb 23 2019 rsyslog $ ll *.zst -rw-r--r-- 1 lcl lcl 210 Mar 22 2018 addendum.zst -rw-r--r-- 1 lcl lcl 613 Mar 3 2019 clunker.cml.zst -rw-r--r-- 1 lcl lcl 315 Mar 22 2018 cutandpaste.zst -rw-r--r-- 1 lcl lcl 700 Mar 26 2018 getrepo.zst -rwxr-xr-x 1 lcl lcl 138 Feb 19 2019 install-kodi.zst* -rw-r--r-- 1 lcl lcl 72 Jul 18 10:17 iso-preparation.zst -rw-r--r-- 1 lcl lcl 653 Mar 23 2018 localrepo.zst -rw-r--r-- 1 lcl lcl 1446 Mar 23 2018 localtest.1.zst -rw-r--r-- 1 lcl lcl 738 Mar 21 2018 lxqt.0.zst -rw-r--r-- 1 lcl lcl 818 Mar 21 2018 lxqt.zst -rw-rw-r-- 1 lcl lcl 197 Mar 23 2018 martin.zst -rw-r--r-- 1 lcl lcl 60 Mar 21 10:52 playlist.zst -rw-r--r-- 1 lcl lcl 99 Feb 23 2019 rsyslog.zst Note that playlist.zst is bigger than the original file. Moved to a directory with many small files. $ zstd -z -T4 * This compressed most of the files by a factor of between 2.4 and 3, mamed as *.zst without affecting the originals. The T option specifies threaded operation. In this case 4 cpu cores were used. Copied the compressed files elsewhere and decompressed one of them. $ zstd -d smokestack.rb.zst smokestack.rb.zst : 951 bytes $ ll smokestack* -rw-r--r-- 1 lcl lcl 951 Sep 2 16:27 smokestack.rb -rw-r--r-- 1 lcl lcl 431 Sep 2 16:27 smokestack.rb.zst The recovered file looks exactly like the original source. % zstd -d -T5 * Also worked fine. The operations were far too fast to make much impression on gkrellm. This is a complex tool with many options. These basic tests show that it is working fine for 64bits.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0257.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED