CVE-2019-17543
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-17543
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17543.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-17543
- Downstream
- Related
- Published
- 2019-10-14T02:15:10Z
- Modified
- 2025-09-19T10:49:43.980482Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4write32 (related to LZ4compressdestSize), affecting applications that call LZ4compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
- References
-
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941
- https://github.com/lz4/lz4/compare/v1.9.1...v1.9.2
- https://github.com/lz4/lz4/issues/801
- https://github.com/lz4/lz4/pull/756
- https://github.com/lz4/lz4/pull/760
- https://security.netapp.com/advisory/ntap-20210723-0001/
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00069.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00070.html
- https://lists.apache.org/thread.html/25015588b770d67470b7ba7ea49a305d6735dd7f00eabe7d50ec1e17%40%3Cissues.arrow.apache.org%3E
- https://lists.apache.org/thread.html/543302d55e2d2da4311994e9b0debdc676bf3fd05e1a2be3407aa2d6%40%3Cissues.arrow.apache.org%3E
- https://lists.apache.org/thread.html/793012683dc0fa6819b7c2560e6cf990811014c40c7d75412099c357%40%3Cissues.arrow.apache.org%3E
- https://lists.apache.org/thread.html/9ff0606d16be2ab6a81619e1c9e23c3e251756638e36272c8c8b7fa3%40%3Cissues.arrow.apache.org%3E
- https://lists.apache.org/thread.html/f0038c4fab2ee25aee849ebeff6b33b3aa89e07ccfb06b5c87b36316%40%3Cissues.arrow.apache.org%3E
- https://lists.apache.org/thread.html/f506bc371d4a068d5d84d7361293568f61167d3a1c3e91f0def2d7d3%40%3Cdev.arrow.apache.org%3E
- https://lists.apache.org/thread.html/r0fb226357e7988a241b06b93bab065bcea2eb38658b382e485960e26%40%3Cissues.kudu.apache.org%3E
- https://lists.apache.org/thread.html/r4068ba81066792f2b4d208b39c4c4713c5d4c79bd8cb6c1904af5720%40%3Cissues.kudu.apache.org%3E
- https://lists.apache.org/thread.html/r7bc72200f94298bc9a0e35637f388deb53467ca4b2e2ad1ff66d8960%40%3Cissues.kudu.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://security.alpinelinux.org/vuln/CVE-2019-17543
Affected packages
Alpine:v3.10
lz4
Alpine:v3.11
lz4
Alpine:v3.12
lz4
Alpine:v3.13
lz4
Alpine:v3.14
lz4
Alpine:v3.15
lz4
Alpine:v3.16
lz4
Alpine:v3.17
lz4
Alpine:v3.18
lz4
Alpine:v3.19
lz4
Alpine:v3.20
lz4
Alpine:v3.21
lz4
Alpine:v3.22
lz4
Git
github.com/lz4/lz4
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lz4/lz4
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
lz4-r130
r117
r118
r119
r120
r121
r122
r123
r124
r125
r126
r127
r128
r129
r130
r131
rc129v0
v1.*
v1.7.3
v1.7.4
v1.7.4.2
v1.7.5
v1.8.0
v1.8.1
v1.8.1.2
v1.8.2
v1.8.3
v1.9.0
v1.9.1
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2019-17543-b1728100",
"digest": {
"length": 6841.0,
"function_hash": "61011784323741544421519885770648292192"
},
"signature_type": "Function",
"target": {
"file": "tests/frametest.c",
"function": "fuzzerTests"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/lz4/lz4/commit/fdf2ef5809ca875c454510610764d9125ef2ebbd"
},
{
"id": "CVE-2019-17543-f2e73d94",
"digest": {
"line_hashes": [
"325100058228336016223022397709697290259",
"200105775490831143229869207908691188226",
"165779088698909068794914726885539428532",
"83614538809166404914961511938413066878"
],
"threshold": 0.9
},
"signature_type": "Line",
"target": {
"file": "tests/frametest.c"
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/lz4/lz4/commit/fdf2ef5809ca875c454510610764d9125ef2ebbd"
}
]
}