Uploaded image for project: 'Apache Arrow'
  1. Apache Arrow
  2. ARROW-6984

[C++] Update LZ4 to 1.9.2 for CVE-2019-17543

    XMLWordPrintableJSON

Details

    • Wish
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 0.15.0
    • 0.16.0
    • C++
    • Patch, Important

    Description

      There is a reported CVE that LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (More details in here - https://nvd.nist.gov/vuln/detail/CVE-2019-17543 ). I see that Apache Arrow uses v1.8.3 version ( https://github.com/apache/arrow/blob/47e5ecafa72b70112a64a1174b29b9db45f803ef/cpp/thirdparty/versions.txt#L38 ).

      We need to bump up the dependency version of LZ4 to 1.9.2 to get past the reported CVE. Thank you!

      Attachments

        Issue Links

          Activity

            People

              kszucs Krisztian Szucs
              sangeek Sangeeth Keeriyadath
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h 20m
                  2h 20m