Numeric Errors Affecting lz4 package, versions <0.0~r119-1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-LZ4-287747
- published 3 Jul 2014
- disclosed 3 Jul 2014
Introduced: 3 Jul 2014
CVE-2014-4715 Open this link in a new tabHow to fix?
Upgrade Debian:10
lz4
to version 0.0~r119-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream lz4
package and not the lz4
package as distributed by Debian
.
See How to fix?
for Debian:10
relevant fixed versions and status.
Yann Collet LZ4 before r119, when used on certain 32-bit platforms that allocate memory beyond 0x80000000, does not properly detect integer overflows, which allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run, a different vulnerability than CVE-2014-4611.
References
- Debian Security Tracker
- http://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html
- http://fastcompression.blogspot.fr/2014/07/software-vulnerabilities-how-it-works.html
- https://code.google.com/p/lz4/issues/detail?id=134
- https://code.google.com/p/lz4/source/detail?r=119
- Secunia Advisory
- Ubuntu CVE Tracker