You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@arrow.apache.org by "Sangeeth Keeriyadath (Jira)" <ji...@apache.org> on 2019/10/24 13:12:00 UTC

[jira] [Created] (ARROW-6984) Update LZ4 to 1.9.2 for CVE-2019-17543

Sangeeth Keeriyadath created ARROW-6984:
-------------------------------------------

             Summary: Update LZ4 to 1.9.2 for CVE-2019-17543
                 Key: ARROW-6984
                 URL: https://issues.apache.org/jira/browse/ARROW-6984
             Project: Apache Arrow
          Issue Type: Wish
          Components: C++
    Affects Versions: 0.15.0
            Reporter: Sangeeth Keeriyadath
             Fix For: 0.15.1


There is a reported CVE that LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (More details in here - [https://nvd.nist.gov/vuln/detail/CVE-2019-17543] ). I see that Apache Arrow uses *v1.8.3* version ( [https://github.com/apache/arrow/blob/47e5ecafa72b70112a64a1174b29b9db45f803ef/cpp/thirdparty/versions.txt#L38] ).

We need to bump up the dependency version of LZ4 to *1.9.2* to get past the reported CVE. Thank you!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)