diff --git a/lz4-cve-2021-3520.patch b/lz4-cve-2021-3520.patch new file mode 100644 index 0000000..8a22dce --- /dev/null +++ b/lz4-cve-2021-3520.patch @@ -0,0 +1,22 @@ +From 8301a21773ef61656225e264f4f06ae14462bca7 Mon Sep 17 00:00:00 2001 +From: Jasper Lievisse Adriaanse +Date: Fri, 26 Feb 2021 15:21:20 +0100 +Subject: [PATCH] Fix potential memory corruption with negative memmove() size + +--- + lib/lz4.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/lz4.c b/lib/lz4.c +index 5f524d01..c2f504ef 100644 +--- a/lib/lz4.c ++++ b/lib/lz4.c +@@ -1749,7 +1749,7 @@ LZ4_decompress_generic( + const size_t dictSize /* note : = 0 if noDict */ + ) + { +- if (src == NULL) { return -1; } ++ if ((src == NULL) || (outputSize < 0)) { return -1; } + + { const BYTE* ip = (const BYTE*) src; + const BYTE* const iend = ip + srcSize; diff --git a/lz4.spec b/lz4.spec index cad40f6..2085683 100644 --- a/lz4.spec +++ b/lz4.spec @@ -2,7 +2,7 @@ Name: lz4 Version: 1.9.3 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Extremely fast compression algorithm License: GPLv2+ and BSD @@ -15,6 +15,7 @@ BuildRequires: make BuildRequires: gcc BuildRequires: meson >= 0.43 +Patch1: lz4-cve-2021-3520.patch %description LZ4 is an extremely fast loss-less compression algorithm, providing compression speed at 400 MB/s per core, scalable with multi-core CPU. It also features @@ -44,7 +45,7 @@ LZ4 is an extremely fast loss-less compression algorithm. This package contains static libraries for static linking of applications. %prep -%autosetup +%autosetup -p1 %build %meson \ @@ -82,6 +83,10 @@ contains static libraries for static linking of applications. %{_libdir}/liblz4.a %changelog +* Thu May 27 2021 Jakub Martisko - 1.9.3-4 +- Fix cve-2021-3520 +resolves: cve-2021-3520 + * Fri Apr 16 2021 Mohan Boddu - 1.9.3-3 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937