Ubuntu has issued an advisory on October 5: https://ubuntu.com/security/notices/USN-4568-1 The issue is fixed upstream in 1.0.9.
Pushed brotli-1.0.7-2.1.mga7 with a patch from Ubuntu to core/updates_testing for mga7. SRPMS: brotli-1.0.7-2.1.mga7 RPMS: brotli-1.0.7-2.1.mga7 lib(64)brotlicommon1-1.0.7-2.1 lib(64)brotlienc1-1.0.7-2.1.mga7 lib(64)brotlidec1-1.0.7-2.1.mga7 lib(64)brotli-devel-1.0.7-2.1.mga7 python2-brotli-1.0.7-2.1.mga7 python3-brotli-1.0.7-2.1.mga7
Assignee: jani.valimaa => qa-bugs
Advisory: ======================== Updated brotli packages fix security vulnerability: A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB (CVE-2020-8927). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8927 https://ubuntu.com/security/notices/USN-4568-1
mga7, x64 Tried out brotli before updating, compressing a large iso, which took about three hours. Default compression was about 1.2. Updated all 7 packages. Tried different compression factors. $ brotli -5 oldjournal $ ll oldjournal* -rw-r--r-- 1 lcl lcl 6135857 Apr 10 2016 oldjournal -rw-r--r-- 1 lcl lcl 1898034 Apr 10 2016 oldjournal.br $ brotli -9 --suffix=br9 oldjournal -rw-r--r-- 1 lcl lcl 1707709 Apr 10 2016 oldjournalbr9 $ brotli -S .br11 -q 11 oldjournal -rw-r--r-- 1 lcl lcl 1555693 Apr 10 2016 oldjournal.br11 11 is the default and maximum compression level Tested decompression and file naming. $ brotli -d -S .9 oldjournalbr9 input file [oldjournalbr9] suffix mismatch $ brotli -d oldjournalbr9 -o oldjournalbr9.9 That worked. $ mv oldjournal oldjournal.0 $ brotli -d oldjournal.br $ brotli -d oldjournal.br11 -o oldjournal.11 $ ll oldjournal* -rw-r--r-- 1 lcl lcl 6135857 Apr 10 2016 oldjournal -rw-r--r-- 1 lcl lcl 6135857 Apr 10 2016 oldjournal.0 -rw-r--r-- 1 lcl lcl 6135857 Apr 10 2016 oldjournal.11 -rw-r--r-- 1 lcl lcl 1898034 Apr 10 2016 oldjournal.br -rw-r--r-- 1 lcl lcl 1555693 Apr 10 2016 oldjournal.br11 -rw-r--r-- 1 lcl lcl 1707709 Apr 10 2016 oldjournalbr9 -rw-r--r-- 1 lcl lcl 6135857 Apr 10 2016 oldjournalbr9.9 $ diff oldjournal.0 oldjournal.11 $ That shows that compression and decompression are reliable. $ brotli -v --test oldjournal.br11 Confirms the integrity of a compressed file. $ brotli -V brotli 1.0.7 $ brotli -vZ -w 12 -S .w12 oldjournal Using a window size of 4K slows down the compression and increases the size of the compressed file. -rw-r--r-- 1 lcl lcl 2213492 Apr 10 2016 oldjournal.w12 All this looks fine.
Whiteboard: (none) => MGA7-64-OKCC: (none) => tarazed25
Addendum to comment 3: $ brotli -vZ -w 0 -S .w0 oldjournal -rw-r--r-- 1 lcl lcl 1555693 Apr 10 2016 oldjournal.w0 Window size 0 lets the compressor use the optimum value.
Validating and advisory done.
CC: (none) => ouaurelien
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0385.html
Status: NEW => RESOLVEDResolution: (none) => FIXED