import lz4-1.8.3-3.el8_4

SOURCES/lz4-cve-2021-3520.patch

@@ -0,0 +1,24 @@
+From 97f58e5fe5ff44fc9f7c86f6f67a11223379e640 Mon Sep 17 00:00:00 2001
+From: Jakub Martisko <jamartis@redhat.com>
+Date: Fri, 7 May 2021 13:08:24 +0200
+Subject: [PATCH] Fix: cve-2021-3520
+
+---
+ lib/lz4.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/lz4.c b/lib/lz4.c
+index 4046102..c18c1f6 100644
+--- a/lib/lz4.c
++++ b/lib/lz4.c
+@@ -1437,6 +1437,7 @@ LZ4_decompress_generic(
+     /* Special cases */
+     assert(lowPrefix <= op);
+     assert(src != NULL);
++    if (outputSize < 0) {return -1;};
+     if ((endOnInput) && (unlikely(outputSize==0))) return ((srcSize==1) && (*ip==0)) ? 0 : -1;  /* Empty output buffer */
+     if ((!endOnInput) && (unlikely(outputSize==0))) return (*ip==0 ? 1 : -1);
+     if ((endOnInput) && unlikely(srcSize==0)) return -1;
+-- 
+2.30.1
+

SPECS/lz4.spec

@@ -1,6 +1,6 @@
 Name:           lz4
 Version:        1.8.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Extremely fast compression algorithm
 
 License:        GPLv2+ and BSD
@@ -9,6 +9,8 @@ Source0:        https://github.com/Cyan4973/lz4/archive/v%{version}/%{name}-%{ve
 
 Obsoletes:      %{name} < 1.7.5-3
 
+Patch1: lz4-cve-2021-3520.patch
+
 %description
 LZ4 is an extremely fast loss-less compression algorithm, providing compression
 speed at 400 MB/s per core, scalable with multi-core CPU. It also features
@@ -38,7 +40,7 @@ LZ4 is an extremely fast loss-less compression algorithm. This package
 contains static libraries for static linking of applications.
 
 %prep
-%autosetup
+%autosetup -p1
 echo '#!/bin/sh' > ./configure
 chmod +x ./configure
 
@@ -79,6 +81,10 @@ chmod +x ./configure
 %{_libdir}/liblz4.a
 
 %changelog
+* Fri May 07 2021 Jakub Martisko <jamartis@redhat.com> - 1.8.3-3
+- Fix memory corruption due to an integer overflow
+_ Resolves: CVE-2021-3520
+
 * Tue May 26 2020 Jakub Martisko <jamartis@redhat.com> - 1.8.3-2
 - Rebuilding with the new gating tests
 - Related: 1840046