[jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu

Alexey Serbin (Jira) Thu, 09 Jul 2020 10:51:23 -0700


     [ 
https://issues.apache.org/jira/browse/KUDU-3156?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Alexey Serbin resolved KUDU-3156.
---------------------------------
    Fix Version/s: n/a
       Resolution: Information Provided

Kudu doesn't use {{LZ4_compress_fast}} call, so it's not affected by 
CVE-2019-17543.

> Whether the CVE-2019-17543 vulnerability of lz affects kudu
> -----------------------------------------------------------
>
>                 Key: KUDU-3156
>                 URL: https://issues.apache.org/jira/browse/KUDU-3156
>             Project: Kudu
>          Issue Type: Bug
>    Affects Versions: 1.8.0
>            Reporter: yejiabao_h
>            Priority: Major
>             Fix For: n/a
>
>
> LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to 
> LZ4_compress_destSize), affecting applications that call LZ4_compress_fast 
> with a large input. (This issue can also lead to data corruption.) NOTE: the 
> vendor states "only a few specific / uncommon usages of the API are at risk." 
>      
> Whether the CVE-2019-17543 vulnerability of lz affects kudu? if yes, what is 
> the impact?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (KUDU-3156) Whether the CVE-2019-17543 vulnerability of lz affects kudu

Reply via email to