[jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543

Antoine Pitrou (Jira) Wed, 06 Nov 2019 06:03:27 -0800


     [ 
https://issues.apache.org/jira/browse/ARROW-6984?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Antoine Pitrou resolved ARROW-6984.
-----------------------------------
    Resolution: Fixed

Issue resolved by pull request 5728
[https://github.com/apache/arrow/pull/5728]

> [C++] Update LZ4 to 1.9.2 for CVE-2019-17543
> --------------------------------------------
>
>                 Key: ARROW-6984
>                 URL: https://issues.apache.org/jira/browse/ARROW-6984
>             Project: Apache Arrow
>          Issue Type: Wish
>          Components: C++
>    Affects Versions: 0.15.0
>            Reporter: Sangeeth Keeriyadath
>            Assignee: Krisztian Szucs
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.0.0
>
>          Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> There is a reported CVE that LZ4 before 1.9.2 has a heap-based buffer 
> overflow in LZ4_write32 (More details in here - 
> [https://nvd.nist.gov/vuln/detail/CVE-2019-17543] ). I see that Apache Arrow 
> uses *v1.8.3* version ( 
> [https://github.com/apache/arrow/blob/47e5ecafa72b70112a64a1174b29b9db45f803ef/cpp/thirdparty/versions.txt#L38]
>  ).
> We need to bump up the dependency version of LZ4 to *1.9.2* to get past the 
> reported CVE. Thank you!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (ARROW-6984) [C++] Update LZ4 to 1.9.2 for CVE-2019-17543

Reply via email to