CVE - CVE-2019-17543

CVE-ID
CVE-2019-17543	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://security.netapp.com/advisory/ntap-20210723-0001/ MISC:https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941 URL:https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941 MISC:https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2 URL:https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2 MISC:https://github.com/lz4/lz4/issues/801 URL:https://github.com/lz4/lz4/issues/801 MISC:https://github.com/lz4/lz4/pull/756 URL:https://github.com/lz4/lz4/pull/756 MISC:https://github.com/lz4/lz4/pull/760 URL:https://github.com/lz4/lz4/pull/760 MISC:https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26@%3Cissues.kudu.apache.org%3E URL:https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26@%3Cissues.kudu.apache.org%3E MISC:https://www.oracle.com//security-alerts/cpujul2021.html URL:https://www.oracle.com//security-alerts/cpujul2021.html MISC:https://www.oracle.com/security-alerts/cpuoct2020.html URL:https://www.oracle.com/security-alerts/cpuoct2020.html MLIST:[arrow-dev] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543 URL:https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3@%3Cdev.arrow.apache.org%3E MLIST:[arrow-issues] 20191024 [jira] [Assigned] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543 URL:https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316@%3Cissues.arrow.apache.org%3E MLIST:[arrow-issues] 20191024 [jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543 URL:https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3@%3Cissues.arrow.apache.org%3E MLIST:[arrow-issues] 20191024 [jira] [Updated] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543 URL:https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357@%3Cissues.arrow.apache.org%3E MLIST:[arrow-issues] 20191025 [jira] [Commented] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543 URL:https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17@%3Cissues.arrow.apache.org%3E MLIST:[arrow-issues] 20191106 [jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543 URL:https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6@%3Cissues.arrow.apache.org%3E MLIST:[kudu-issues] 20200621 [jira] [Updated] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu URL:https://lists.apache.org/thread.html/r7bc72200f94298bc9a0e35637f388deb53467ca4b2e2ad1ff66d8960@%3Cissues.kudu.apache.org%3E MLIST:[kudu-issues] 20200709 [jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu URL:https://lists.apache.org/thread.html/r4068ba81066792f2b4d208b39c4c4713c5d4c79bd8cb6c1904af5720@%3Cissues.kudu.apache.org%3E SUSE:openSUSE-SU-2019:2398 URL:http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html SUSE:openSUSE-SU-2019:2399 URL:http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html
Assigning CNA
MITRE Corporation
Date Record Created
20191014	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20191014)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)