ALAS2023-2023-015


Amazon Linux 2023 Security Advisory: ALAS-2023-015
Advisory Release Date: 2023-02-17 20:43 Pacific
Advisory Updated Date: 2023-02-22 23:57 Pacific
Severity: Medium

Issue Overview:

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. (CVE-2021-3520)


Affected Packages:

lz4


Issue Correction:
Run dnf update lz4 --releasever=2023.0.20230222 to update your system.

New Packages:
aarch64:
    lz4-libs-1.9.4-1.amzn2023.0.2.aarch64
    lz4-1.9.4-1.amzn2023.0.2.aarch64
    lz4-libs-debuginfo-1.9.4-1.amzn2023.0.2.aarch64
    lz4-debuginfo-1.9.4-1.amzn2023.0.2.aarch64
    lz4-static-1.9.4-1.amzn2023.0.2.aarch64
    lz4-debugsource-1.9.4-1.amzn2023.0.2.aarch64
    lz4-devel-1.9.4-1.amzn2023.0.2.aarch64

src:
    lz4-1.9.4-1.amzn2023.0.2.src

x86_64:
    lz4-debuginfo-1.9.4-1.amzn2023.0.2.x86_64
    lz4-libs-1.9.4-1.amzn2023.0.2.x86_64
    lz4-static-1.9.4-1.amzn2023.0.2.x86_64
    lz4-libs-debuginfo-1.9.4-1.amzn2023.0.2.x86_64
    lz4-debugsource-1.9.4-1.amzn2023.0.2.x86_64
    lz4-devel-1.9.4-1.amzn2023.0.2.x86_64
    lz4-1.9.4-1.amzn2023.0.2.x86_64