[ https://issues.apache.org/jira/browse/ARROW-6984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16959595#comment-16959595 ]
Antoine Pitrou commented on ARROW-6984: --------------------------------------- Also we call none of the functions mentioned in https://nvd.nist.gov/vuln/detail/CVE-2019-17543 ({{LZ4_write32}}, {{LZ4_compress_destSize}}, {{LZ4_compress_fast}}). > [C++] Update LZ4 to 1.9.2 for CVE-2019-17543 > -------------------------------------------- > > Key: ARROW-6984 > URL: https://issues.apache.org/jira/browse/ARROW-6984 > Project: Apache Arrow > Issue Type: Wish > Components: C++ > Affects Versions: 0.15.0 > Reporter: Sangeeth Keeriyadath > Assignee: Krisztian Szucs > Priority: Major > Labels: pull-request-available > Fix For: 1.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > There is a reported CVE that LZ4 before 1.9.2 has a heap-based buffer > overflow in LZ4_write32 (More details in here - > [https://nvd.nist.gov/vuln/detail/CVE-2019-17543] ). I see that Apache Arrow > uses *v1.8.3* version ( > [https://github.com/apache/arrow/blob/47e5ecafa72b70112a64a1174b29b9db45f803ef/cpp/thirdparty/versions.txt#L38] > ). > We need to bump up the dependency version of LZ4 to *1.9.2* to get past the > reported CVE. Thank you! -- This message was sent by Atlassian Jira (v8.3.4#803005)