Bug 1142941 (CVE-2019-11922)

Summary: VUL-1: CVE-2019-11922: zstd: race condition in one-pass compression functions could allow out of bounds write
Product: [openSUSE] openSUSE Distribution Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: SecurityAssignee: Bernhard Wiedemann <bwiedemann>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low    
Version: Leap 15.0   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/238018/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-11922:0.0:(AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexandros Toptsoglou 2019-07-26 05:31:41 UTC 
CVE-2019-11922

A race condition in the one-pass compression functions of Zstandard prior to
version 1.3.8 could allow an attacker to write bytes out of bounds if an output
buffer smaller than the recommended size was used.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11922
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11922
https://www.facebook.com/security/advisories/cve-2019-11922
https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0
Comment 1 Swamp Workflow Management 2019-08-02 11:20:18 UTC 
This is an autogenerated message for OBS integration:
This bug (1142941) was mentioned in
https://build.opensuse.org/request/show/720572 Factory / zstd
https://build.opensuse.org/request/show/720573 15.0 / zstd
Comment 2 Swamp Workflow Management 2019-08-02 14:20:17 UTC 
This is an autogenerated message for OBS integration:
This bug (1142941) was mentioned in
https://build.opensuse.org/request/show/720651 15.1 / zstd
Comment 3 Swamp Workflow Management 2019-08-12 19:12:09 UTC 
openSUSE-SU-2019:1845-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1082318,1133297,1142941
CVE References: CVE-2019-11922
Sources used:
openSUSE Leap 15.1 (src):    zstd-1.4.2-lp151.3.3.1
Comment 4 Swamp Workflow Management 2019-08-19 16:20:53 UTC 
openSUSE-SU-2019:1952-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1082318,1133297,1142941
CVE References: CVE-2019-11922
Sources used:
openSUSE Leap 15.0 (src):    zstd-1.4.2-lp150.2.3.1
Comment 5 Swamp Workflow Management 2019-08-24 22:11:49 UTC 
openSUSE-SU-2019:2008-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1082318,1133297,1142941
CVE References: CVE-2019-11922
Sources used:
openSUSE Backports SLE-15-SP1 (src):    zstd-1.4.2-bp151.4.3.1
openSUSE Backports SLE-15 (src):    zstd-1.4.2-bp150.3.3.1
Comment 6 Bernhard Wiedemann 2019-09-16 11:14:41 UTC 
Fixed in all stable releases.
Tumbleweed already had the fix.