Race Condition Affecting libzstd package, versions <1.3.8+dfsg-2
Threat Intelligence
EPSS
3.11% (92nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-LIBZSTD-517447
- published 26 Jul 2019
- disclosed 25 Jul 2019
Introduced: 25 Jul 2019
CVE-2019-11922 Open this link in a new tabHow to fix?
Upgrade Debian:11 libzstd to version 1.3.8+dfsg-2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Debian.
See How to fix? for Debian:11 relevant fixed versions and status.
A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11922
- https://security-tracker.debian.org/tracker/CVE-2019-11922
- https://www.facebook.com/security/advisories/cve-2019-11922
- https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html
- https://usn.ubuntu.com/4108-1/
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-11922
CVSS Scores
version 3.1