Bug 1142941 - (CVE-2019-11922) VUL-1: CVE-2019-11922: zstd: race condition in one-pass compression functions could allow out of bounds write
(CVE-2019-11922)
VUL-1: CVE-2019-11922: zstd: race condition in one-pass compression functions...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.0
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Bernhard Wiedemann
Security Team bot
https://smash.suse.de/issue/238018/
CVSSv3.1:SUSE:CVE-2019-11922:0.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-26 05:31 UTC by Alexandros Toptsoglou
Modified: 2022-08-01 09:59 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-07-26 05:31:41 UTC
CVE-2019-11922

A race condition in the one-pass compression functions of Zstandard prior to
version 1.3.8 could allow an attacker to write bytes out of bounds if an output
buffer smaller than the recommended size was used.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11922
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11922
https://www.facebook.com/security/advisories/cve-2019-11922
https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0
Comment 1 Swamp Workflow Management 2019-08-02 11:20:18 UTC
This is an autogenerated message for OBS integration:
This bug (1142941) was mentioned in
https://build.opensuse.org/request/show/720572 Factory / zstd
https://build.opensuse.org/request/show/720573 15.0 / zstd
Comment 2 Swamp Workflow Management 2019-08-02 14:20:17 UTC
This is an autogenerated message for OBS integration:
This bug (1142941) was mentioned in
https://build.opensuse.org/request/show/720651 15.1 / zstd
Comment 3 Swamp Workflow Management 2019-08-12 19:12:09 UTC
openSUSE-SU-2019:1845-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1082318,1133297,1142941
CVE References: CVE-2019-11922
Sources used:
openSUSE Leap 15.1 (src):    zstd-1.4.2-lp151.3.3.1
Comment 4 Swamp Workflow Management 2019-08-19 16:20:53 UTC
openSUSE-SU-2019:1952-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1082318,1133297,1142941
CVE References: CVE-2019-11922
Sources used:
openSUSE Leap 15.0 (src):    zstd-1.4.2-lp150.2.3.1
Comment 5 Swamp Workflow Management 2019-08-24 22:11:49 UTC
openSUSE-SU-2019:2008-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1082318,1133297,1142941
CVE References: CVE-2019-11922
Sources used:
openSUSE Backports SLE-15-SP1 (src):    zstd-1.4.2-bp151.4.3.1
openSUSE Backports SLE-15 (src):    zstd-1.4.2-bp150.3.3.1
Comment 6 Bernhard Wiedemann 2019-09-16 11:14:41 UTC
Fixed in all stable releases.
Tumbleweed already had the fix.