Uploaded image for project: 'Apache Arrow'
  1. Apache Arrow
  2. ARROW-6984

[C++] Update LZ4 to 1.9.2 for CVE-2019-17543

    XMLWordPrintableJSON

    Details

    • Type: Wish
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.15.0
    • Fix Version/s: 0.16.0
    • Component/s: C++
    • Flags:
      Patch, Important

      Description

      There is a reported CVE that LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (More details in here - https://nvd.nist.gov/vuln/detail/CVE-2019-17543 ). I see that Apache Arrow uses v1.8.3 version ( https://github.com/apache/arrow/blob/47e5ecafa72b70112a64a1174b29b9db45f803ef/cpp/thirdparty/versions.txt#L38 ).

      We need to bump up the dependency version of LZ4 to 1.9.2 to get past the reported CVE. Thank you!

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kszucs Krisztian Szucs
                Reporter:
                sangeek Sangeeth Keeriyadath
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h 20m
                  2h 20m