GHSA-9q5j-jm53-v7vr: lz4-sys vulnerable to memory corruption via issue in liblz4

September 1, 2022

lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to CVE-2021-3520.

Attackers could craft a payload that triggers an integer overflow upon decompression, causing an out-of-bounds write.

The flaw has been corrected in version v1.9.4 of liblz4, which is included in lz4-sys 1.9.4.

References

github.com/advisories/GHSA-9q5j-jm53-v7vr
github.com/lz4/lz4/pull/972
rustsec.org/advisories/RUSTSEC-2022-0051.html

Detect and mitigate GHSA-9q5j-jm53-v7vr with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →