Amazon Linux 2022 Security Advisory: ALAS-2022-169
Advisory Release Date: 2022-11-01 21:23 Pacific
Advisory Updated Date: 2022-11-03 21:02 Pacific
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. (CVE-2021-3520)
Affected Packages:
lz4
Issue Correction:
Run dnf update lz4 --releasever=2022.0.20221102 to update your system.
aarch64:
lz4-static-1.9.4-1.amzn2022.0.1.aarch64
lz4-debugsource-1.9.4-1.amzn2022.0.1.aarch64
lz4-devel-1.9.4-1.amzn2022.0.1.aarch64
lz4-libs-1.9.4-1.amzn2022.0.1.aarch64
lz4-libs-debuginfo-1.9.4-1.amzn2022.0.1.aarch64
lz4-1.9.4-1.amzn2022.0.1.aarch64
lz4-debuginfo-1.9.4-1.amzn2022.0.1.aarch64
src:
lz4-1.9.4-1.amzn2022.0.1.src
x86_64:
lz4-libs-1.9.4-1.amzn2022.0.1.x86_64
lz4-libs-debuginfo-1.9.4-1.amzn2022.0.1.x86_64
lz4-devel-1.9.4-1.amzn2022.0.1.x86_64
lz4-debugsource-1.9.4-1.amzn2022.0.1.x86_64
lz4-static-1.9.4-1.amzn2022.0.1.x86_64
lz4-1.9.4-1.amzn2022.0.1.x86_64
lz4-debuginfo-1.9.4-1.amzn2022.0.1.x86_64