OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-13 21:18:11 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
2baed2be405e301c0fb3398b6b28126bad0bdf81
advisory-db/crates/lz4-sys/RUSTSEC-2022-0051.md
github-actions[bot] e0f55ed7b5 Assigned RUSTSEC-2022-0051 to lz4-sys (#1385) 
Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>
2022-08-26 20:18:18 +02:00

714 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2022-0051"
package = "lz4-sys"
date = "2022-08-25"
url = "https://github.com/lz4/lz4/pull/972"
categories = ["memory-corruption"]
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
keywords = ["integer-overflow", "out-of-bounds"]
related = ["CVE-2021-3520"]

[versions]
patched = [">= 1.9.4"]

Memory corruption in liblz4

lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to CVE-2021-3520.

Attackers could craft a payload that triggers an integer overflow upon decompression, causing an out-of-bounds write.

The flaw has been corrected in version v1.9.4 of liblz4, which is included in lz4-sys 1.9.4.