Amazon Linux 2022 Security Advisory: ALAS-2022-137
Advisory Release Date: 2022-09-13 19:08 Pacific
Advisory Updated Date: 2022-09-21 20:01 Pacific
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well. (CVE-2021-3520)
Affected Packages:
lz4
Issue Correction:
Run dnf update lz4 --releasever=2022.0.20220921 to update your system.
aarch64:
lz4-debuginfo-1.9.4-1.amzn2022.aarch64
lz4-debugsource-1.9.4-1.amzn2022.aarch64
lz4-libs-debuginfo-1.9.4-1.amzn2022.aarch64
lz4-static-1.9.4-1.amzn2022.aarch64
lz4-libs-1.9.4-1.amzn2022.aarch64
lz4-devel-1.9.4-1.amzn2022.aarch64
lz4-1.9.4-1.amzn2022.aarch64
i686:
lz4-debuginfo-1.9.4-1.amzn2022.i686
lz4-debugsource-1.9.4-1.amzn2022.i686
lz4-libs-debuginfo-1.9.4-1.amzn2022.i686
lz4-static-1.9.4-1.amzn2022.i686
lz4-1.9.4-1.amzn2022.i686
lz4-libs-1.9.4-1.amzn2022.i686
lz4-devel-1.9.4-1.amzn2022.i686
src:
lz4-1.9.4-1.amzn2022.src
x86_64:
lz4-debuginfo-1.9.4-1.amzn2022.x86_64
lz4-debugsource-1.9.4-1.amzn2022.x86_64
lz4-devel-1.9.4-1.amzn2022.x86_64
lz4-libs-debuginfo-1.9.4-1.amzn2022.x86_64
lz4-libs-1.9.4-1.amzn2022.x86_64
lz4-static-1.9.4-1.amzn2022.x86_64
lz4-1.9.4-1.amzn2022.x86_64