From e0b768ba73b989028502ef75e3a5fc811b06a3c2 Mon Sep 17 00:00:00 2001
From: Niklas Fiekas <niklas.fiekas@backscattering.de>
Date: Fri, 26 Aug 2022 20:17:00 +0200
Subject: [PATCH] lz4-sys: Forward CVE-2021-3520 (#1383)

---
 crates/lz4-sys/RUSTSEC-0000-0000.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 crates/lz4-sys/RUSTSEC-0000-0000.md

diff --git a/crates/lz4-sys/RUSTSEC-0000-0000.md b/crates/lz4-sys/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..0a898f0
--- /dev/null
+++ b/crates/lz4-sys/RUSTSEC-0000-0000.md
@@ -0,0 +1,25 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "lz4-sys"
+date = "2022-08-25"
+url = "https://github.com/lz4/lz4/pull/972"
+categories = ["memory-corruption"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+keywords = ["integer-overflow", "out-of-bounds"]
+related = ["CVE-2021-3520"]
+
+[versions]
+patched = [">= 1.9.4"]
+```
+
+# Memory corruption in liblz4
+
+lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to
+[CVE-2021-3520](https://nvd.nist.gov/vuln/detail/CVE-2021-3520).
+
+Attackers could craft a payload that triggers an integer overflow upon
+decompression, causing an out-of-bounds write.
+
+The flaw has been corrected in version v1.9.4 of liblz4, which is included
+in lz4-sys 1.9.4.