(orc) branch main updated: Add CVE-2025-47436 to security page

Tue, 13 May 2025 07:45:09 -0700 

This is an automated email from the ASF dual-hosted git repository.

dongjoon pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/orc.git


The following commit(s) were added to refs/heads/main by this push:
     new ea794c50a Add CVE-2025-47436 to security page
ea794c50a is described below

commit ea794c50a21b814611dcf2fc53074fd707befd17
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Tue May 13 07:44:26 2025 -0700

    Add CVE-2025-47436 to security page
---
 site/security/CVE-2025-47436.md | 44 +++++++++++++++++++++++++++++++++++++++++
 site/security/index.md          |  3 ++-
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/site/security/CVE-2025-47436.md b/site/security/CVE-2025-47436.md
new file mode 100644
index 000000000..cabb22bf2
--- /dev/null
+++ b/site/security/CVE-2025-47436.md
@@ -0,0 +1,44 @@
+---
+layout: page
+title: CVE-2025-47436
+---
+
+# Potential Heap Buffer Overflow during C++ LZO Decompression
+
+## Date:
+2025-05-13
+
+## Severity:
+
+Medium
+
+## Vendor:
+
+[The Apache Software Foundation](https://apache.org)
+
+## Versions Affected:
+
+- Apache ORC through 1.8.8
+- Apache ORC 1.9.0 through 1.9.5
+- Apache ORC 2.0.0 through 2.0.4
+- Apache ORC 2.1.0 through 2.1.1
+
+## Description:
+
+A vulnerability has been identified in the ORC C++ LZO decompression logic,
+where specially crafted malformed ORC files can cause the decompressor
+to allocate a 250-byte buffer but then attempts to copy 295 bytes into it.
+It causes memory corruption.
+
+This issue is being tracked as ORC-1879 
+
+## Mitigation:
+
+* Upgrade to 1.8.9, 1.9.6, 2.0.5, and 2.1.2
+
+## Credit:
+
+This issue was discovered by Jason Villaluna.
+
+## References:
+[Apache ORC security](/security)
diff --git a/site/security/index.md b/site/security/index.md
index c86dc54d9..b28e50ce6 100644
--- a/site/security/index.md
+++ b/site/security/index.md
@@ -45,4 +45,5 @@ The full process can be found on the
 
 ## Fixed CVEs
 
-* [CVE-2018-8015](CVE-2018-8015) - ORC files with malformed types cause stack 
overflow.
\ No newline at end of file
+* [CVE-2018-8015](CVE-2018-8015) - ORC files with malformed types cause stack 
overflow.
+* [CVE-2025-47436](CVE-2025-47436) - Potential Heap Buffer Overflow during C++ 
LZO Decompression

Reply via email to