openSUSE has issued an advisory on October 29: https://lists.opensuse.org/opensuse-updates/2019-10/msg00171.html The issue is fixed upstream in 1.9.2.
Done!
Advisory: ======================== Updated lz4 packages fix security vulnerability: Heap-based buffer overflow in LZ4_write32 (CVE-2019-17543). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17543 https://lists.opensuse.org/opensuse-updates/2019-10/msg00171.html ======================== Updated packages in core/updates_testing: ======================== liblz4-devel-1.9.2-1.mga7 liblz4-static-devel-1.9.2-1.mga7 liblz4_1-1.9.2-1.mga7 from lz4-1.9.2-1.mga7.src.rpm
Assignee: geiger.david68210 => qa-bugsCC: (none) => geiger.david68210
Installed and tested without issue. Tests: - creating a lz4 compressed fs using the mksquashfs command from the squashfs-tools; - creating a database table compressed with lz4, in a innodb database, in a mariadb database server; Note: The lz4 command in the lz4 package does not seem to use the lz4 library so I'm not including it in the tests. System: Mageia 7, x86_64, Intel CPU. $ uname -a Linux marte 5.4.2-desktop-1.mga7 #1 SMP Thu Dec 5 17:40:00 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep lz4 lib64lz4-devel-1.9.2-1.mga7 liblz4_1-1.9.2-1.mga7 lib64lz4_1-1.9.2-1.mga7 lz4-1.9.2-1.mga7 $ mksquashfs ~/tmp /tmp/test.squash -comp lz4 Parallel mksquashfs: Using 4 processors Creating 4.0 filesystem on /tmp/test.squash, block size 131072. Exportable Squashfs 4.0 filesystem, lz4 compressed, data block size 131072 compressed data, compressed metadata, compressed fragments, compressed xattrs duplicates are removed <SNIP> $ grep liblz4 lz4.log openat(AT_FDCWD, "/lib64/liblz4.so.1", O_RDONLY|O_CLOEXEC) = 3
CC: (none) => mageiaWhiteboard: (none) => MGA7-64-OK
CC: (none) => tmb, sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0375.html
Status: NEW => RESOLVEDResolution: (none) => FIXED