Security update for zstd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2008-1 Final 1 1 2019-08-24T16:20:28Z current 2019-08-24T16:20:28Z 2019-08-24T16:20:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for zstd This update for zstd fixes the following issues: - Update to version 1.4.2: * bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696) * bug: Fix seekable decompression in-memory API by @iburinoc (#1695) * bug: Close minor memory leak in CLI by @LeeYoung624 (#1701) * misc: Validate blocks are smaller than size limit by @vivekmig (#1685) * misc: Restructure source files by @ephiepark (#1679) - Update to version 1.4.1: * bug: Fix data corruption in niche use cases by @terrelln (#1659) * bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594, #1595) * bug: Fix out of bounds read by @terrelln (#1590) * perf: Improve decode speed by ~7% @mgrice (#1668) * perf: Slightly improved compression ratio of level 3 and 4 (ZSTD_dfast) by @cyan4973 (#1681) * perf: Slightly faster compression speed when re-using a context by @cyan4973 (#1658) * perf: Improve compression ratio for small windowLog by @cyan4973 (#1624) * perf: Faster compression speed in high compression mode for repetitive data by @terrelln (#1635) * api: Add parameter to generate smaller dictionaries by @tyler-tran (#1656) * cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640) * cli: Expose cpu load indicator for each file on -vv mode by @ephiepark (#1631) * cli: Restrict read permissions on destination files by @chungy (#1644) * cli: zstdgrep: handle -f flag by @felixhandte (#1618) * cli: zstdcat: follow symlinks by @vejnar (#1604) * doc: Remove extra size limit on compressed blocks by @felixhandte (#1689) * doc: Fix typo by @yk-tanigawa (#1633) * doc: Improve documentation on streaming buffer sizes by @cyan4973 (#1629) * build: CMake: support building with LZ4 @leeyoung624 (#1626) * build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647) * build: CMake: respect existing uninstall target by @j301scott (#1619) * build: Make: skip multithread tests when built without support by @michaelforney (#1620) * build: Make: Fix examples/ test target by @sjnam (#1603) * build: Meson: rename options out of deprecated namespace by @lzutao (#1665) * build: Meson: fix build by @lzutao (#1602) * build: Visual Studio: don't export symbols in static lib by @scharan (#1650) * build: Visual Studio: fix linking by @absotively (#1639) * build: Fix MinGW-W64 build by @myzhang1029 (#1600) * misc: Expand decodecorpus coverage by @ephiepark (#1664) - Add baselibs.conf: libarchive gained zstd support and provides -32bit libraries. This means, zstd also needs to provide -32bit libs. - Update to new upstream release 1.4.0 * perf: level 1 compression speed was improved * cli: added --[no-]compress-literals flag to enable or disable literal compression - Reword 'real-time' in description by some actual statistics, because 603MB/s (lowest zstd level) is not 'real-time' for quite some applications. - zstd 1.3.8: * better decompression speed on large files (+7%) and cold dictionaries (+15%) * slightly better compression ratio at high compression modes * new --rsyncable mode * support decompression of empty frames into NULL (used to be an error) * support ZSTD_CLEVEL environment variable * --no-progress flag, preserving final summary * various CLI fixes * fix race condition in one-pass compression functions that could allow out of bounds write (CVE-2019-11922, boo#1142941) - zstd 1.3.7: * fix ratio for dictionary compression at levels 9 and 10 * add man pages for zstdless and zstdgrep - includes changes from zstd 1.3.6: * faster dictionary builder, also the new default for --train * previous (slower, slightly higher quality) dictionary builder to be selected via --train-cover * Faster dictionary decompression and compression under memory limits with many dictionaries used simultaneously * New command --adapt for compressed network piping of data adjusted to the perceived network conditions - update to 1.3.5: * much faster dictionary compression * small quality improvement for dictionary generation * slightly improved performance at high compression levels * automatic memory release for long duration contexts * fix overlapLog can be manually set * fix decoding invalid lz4 frames * fix performance degradation for dictionary compression when using advanced API - fix pzstd tests - enable pzstd (parallel zstd) - Use %license instead of %doc [boo#1082318] - Add disk _constraints to fix ppc64le build - Use FAT LTO objects in order to provide proper static library (boo#1133297). This update was imported from the openSUSE:Leap:15.0:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2008 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K7K2UOXWEY5FAQGWUDI7235YCQ2R5UPH/#K7K2UOXWEY5FAQGWUDI7235YCQ2R5UPH E-Mail link for openSUSE-SU-2019:2008-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1082318 SUSE Bug 1082318 https://bugzilla.suse.com/1133297 SUSE Bug 1133297 https://bugzilla.suse.com/1142941 SUSE Bug 1142941 https://www.suse.com/security/cve/CVE-2019-11922/ SUSE CVE CVE-2019-11922 page SUSE Package Hub 15 SUSE Package Hub 15 SP1 libzstd-devel-1.4.2-bp151.4.3.1 libzstd-devel-static-1.4.2-bp151.4.3.1 libzstd1-1.4.2-bp151.4.3.1 libzstd1-64bit-1.4.2-bp151.4.3.1 zstd-1.4.2-bp151.4.3.1 libzstd-devel-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 libzstd-devel-static-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 libzstd1-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 libzstd1-64bit-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 zstd-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 libzstd-devel-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 libzstd-devel-static-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 libzstd1-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 libzstd1-64bit-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 zstd-1.4.2-bp151.4.3.1 as a component of SUSE Package Hub 15 SP1 A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. CVE-2019-11922 SUSE Package Hub 15 SP1:libzstd-devel-1.4.2-bp151.4.3.1 SUSE Package Hub 15 SP1:libzstd-devel-static-1.4.2-bp151.4.3.1 SUSE Package Hub 15 SP1:libzstd1-1.4.2-bp151.4.3.1 SUSE Package Hub 15 SP1:libzstd1-64bit-1.4.2-bp151.4.3.1 SUSE Package Hub 15 SP1:zstd-1.4.2-bp151.4.3.1 SUSE Package Hub 15:libzstd-devel-1.4.2-bp151.4.3.1 SUSE Package Hub 15:libzstd-devel-static-1.4.2-bp151.4.3.1 SUSE Package Hub 15:libzstd1-1.4.2-bp151.4.3.1 SUSE Package Hub 15:libzstd1-64bit-1.4.2-bp151.4.3.1 SUSE Package Hub 15:zstd-1.4.2-bp151.4.3.1 low 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/K7K2UOXWEY5FAQGWUDI7235YCQ2R5UPH/#K7K2UOXWEY5FAQGWUDI7235YCQ2R5UPH https://www.suse.com/security/cve/CVE-2019-11922.html CVE-2019-11922 https://bugzilla.suse.com/1142941 SUSE Bug 1142941