CVE编号
CVE-2019-17543利用情况
暂无补丁情况
官方补丁披露时间
2019-10-14漏洞描述
1.9.2之前的LZ4在LZ4_write32中具有基于堆的缓冲区溢出(与LZ4_compress_destSize相关),从而影响使用大输入调用LZ4_compress_fast的应用程序。 (此问题也可能导致数据损坏。)注:供应商指出“只有少数特定的/不常见的API使用受到威胁。”解决建议
厂商已发布了漏洞修复程序,请及时关注更新:https://github.com/lz4/lz4/pull/760
https://github.com/lz4/lz4/pull/756
参考链接 |
|
|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html | |
| http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html | |
| https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941 | |
| https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2 | |
| https://github.com/lz4/lz4/issues/801 | |
| https://github.com/lz4/lz4/pull/756 | |
| https://github.com/lz4/lz4/pull/760 | |
| https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f... | |
| https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd0... | |
| https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c4... | |
| https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e25175663... | |
| https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07c... | |
| https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a... | |
| https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38... | |
| https://lists.apache.org/thread.html/r4068ba81066792f2b4d208b39c4c4713c5d4c79... | |
| https://lists.apache.org/thread.html/r7bc72200f94298bc9a0e35637f388deb53467ca... | |
| https://security.netapp.com/advisory/ntap-20210723-0001/ | |
| https://www.oracle.com//security-alerts/cpujul2021.html | |
| https://www.oracle.com/security-alerts/cpuoct2020.html |
受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | lz4_project | lz4 | * |
Up to (excluding) 1.9.2 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.10 | lz4 | * |
Up to (excluding) 1.9.1-r1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.11 | lz4 | * |
Up to (excluding) 1.9.2-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.12 | lz4 | * |
Up to (excluding) 1.9.2-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.13 | lz4 | * |
Up to (excluding) 1.9.2-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.14 | lz4 | * |
Up to (excluding) 1.9.2-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_3.15 | lz4 | * |
Up to (excluding) 1.9.2-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | alpine_edge | lz4 | * |
Up to (excluding) 1.9.2-r0 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | lz4 | * |
Up to (excluding) 1.8.3-1+deb10u1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | lz4 | * |
Up to (excluding) 0.0~r131-2 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.0 | lz4 | * |
Up to (excluding) 1.8.0-lp150.2.3.1 |
|||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.1 | lz4 | * |
Up to (excluding) 1.8.0-lp151.3.3.1 |
|||||
- 攻击路径 远程
- 攻击复杂度 困难
- 权限要求 无需权限
- 影响范围 有限影响
- EXP成熟度 未验证
- 补丁情况 官方补丁
- 数据保密性 无影响
- 数据完整性 无影响
- 服务器危害 无影响
- 全网数量 100
还没有评论,来说两句吧...