ALAS2022-2022-169


Amazon Linux 2022 Security Advisory: ALAS-2022-169
Advisory Release Date: 2022-11-01 21:23 Pacific
Advisory Updated Date: 2022-11-03 21:02 Pacific
Severity: Medium

Issue Overview:

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. (CVE-2021-3520)


Affected Packages:

lz4


Issue Correction:
Run dnf update lz4 --releasever=2022.0.20221102 to update your system.

New Packages:
aarch64:
    lz4-static-1.9.4-1.amzn2022.0.1.aarch64
    lz4-debugsource-1.9.4-1.amzn2022.0.1.aarch64
    lz4-devel-1.9.4-1.amzn2022.0.1.aarch64
    lz4-libs-1.9.4-1.amzn2022.0.1.aarch64
    lz4-libs-debuginfo-1.9.4-1.amzn2022.0.1.aarch64
    lz4-1.9.4-1.amzn2022.0.1.aarch64
    lz4-debuginfo-1.9.4-1.amzn2022.0.1.aarch64

src:
    lz4-1.9.4-1.amzn2022.0.1.src

x86_64:
    lz4-libs-1.9.4-1.amzn2022.0.1.x86_64
    lz4-libs-debuginfo-1.9.4-1.amzn2022.0.1.x86_64
    lz4-devel-1.9.4-1.amzn2022.0.1.x86_64
    lz4-debugsource-1.9.4-1.amzn2022.0.1.x86_64
    lz4-static-1.9.4-1.amzn2022.0.1.x86_64
    lz4-1.9.4-1.amzn2022.0.1.x86_64
    lz4-debuginfo-1.9.4-1.amzn2022.0.1.x86_64