Vulnerability CVE-2019-17543: Information

Description

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-17543
Published: Oct. 14, 2019
Modified: Nov. 7, 2023
Error type identifier: CWE-787

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
MySQLsisyphus8.0.26-alt18.0.36-alt1ALT-PU-2021-2461-1281108Fixed
MySQLsisyphus_riscv648.0.27-alt1.0.rv648.0.30-alt0.2.rv64ALT-PU-2021-4503-1-Fixed
MySQLp108.0.26-alt18.0.36-alt1ALT-PU-2021-2477-1282098Fixed
MySQLp98.0.26-alt18.0.26-alt2ALT-PU-2021-2571-1282101Fixed
MySQLc10f18.0.26-alt18.0.36-alt1ALT-PU-2021-2477-1282098Fixed
MySQLc9f28.0.26-alt28.0.36-alt0.c9.1ALT-PU-2021-3668-1291746Fixed
lz4sisyphus1.9.2-alt11.9.4-alt1ALT-PU-2019-2817-1238585Fixed
lz4p101.9.2-alt11.9.3-alt1ALT-PU-2019-2817-1238585Fixed
lz4p91.9.2-alt11.9.2-alt1ALT-PU-2019-2830-1238696Fixed
lz4c10f11.9.2-alt11.9.3-alt1ALT-PU-2019-2817-1238585Fixed
lz4c9f21.9.2-alt11.9.2-alt1ALT-PU-2019-2830-1238696Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/lz4/lz4/pull/756
  • Patch
  • Third Party Advisory
https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2
  • Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941
  • Third Party Advisory
https://github.com/lz4/lz4/pull/760
  • Patch
  • Third Party Advisory
https://github.com/lz4/lz4/issues/801
  • Third Party Advisory
openSUSE-SU-2019:2399
    openSUSE-SU-2019:2398
      https://www.oracle.com/security-alerts/cpuoct2020.html
        N/A
          https://security.netapp.com/advisory/ntap-20210723-0001/
            [arrow-issues] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543
              [arrow-dev] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543
                [arrow-issues] 20191024 [jira] [Updated] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
                  [arrow-issues] 20191024 [jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
                    [arrow-issues] 20191025 [jira] [Commented] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
                      [arrow-issues] 20191106 [jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
                        [kudu-issues] 20200621 [jira] [Updated] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu
                          [kudu-issues] 20200709 [jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu
                            https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26%40%3Cissues.kudu.apache.org%3E

                                1. Configuration 1

                                  cpe:2.3:a:lz4_project:lz4:*:*:*:*:*:*:*:*
                                  End excliding
                                  1.9.2
                              VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                              Version: v24.4.2
                              Back to top