Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Library lzma has vulnerability CVE-2020-22916 #8120

Closed
github-actions bot opened this issue Aug 25, 2023 · 2 comments
Closed

Library lzma has vulnerability CVE-2020-22916 #8120

github-actions bot opened this issue Aug 25, 2023 · 2 comments
Assignees
@Smjert
Labels
cve libraries For things referring to osquery third party libraries security severity-medium
Milestone
5.10.0

Comments

@github-actions
Copy link

https://nvd.nist.gov/vuln/detail/CVE-2020-22916

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of crafted file.
@github-actions github-actions bot added cve libraries For things referring to osquery third party libraries security severity-medium labels Aug 25, 2023
@Smjert Smjert added this to the 5.10.0 milestone Aug 29, 2023
@Smjert
Copy link
Member

Smjert commented Aug 30, 2023
edited
Loading

It's unclear where the issue resides, see: tukaani-project/xz#61
That being said, better be safe than sorry and update lzma.

EDIT: note that upstream is unclear if the issue has been solved by a more recent version, so while we can update the library, we should NOT close this issue until there is confirmation from upstream.

@Smjert Smjert self-assigned this Sep 12, 2023
@Smjert Smjert mentioned this issue Sep 12, 2023
Merged
@Smjert
Copy link
Member

Smjert commented Sep 26, 2023

Closing since upstream is disputing this; we also updated anyway and the new version is not reporting this issue.

@Smjert Smjert closed this as completed Sep 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Smjert Smjert

Labels
cve libraries For things referring to osquery third party libraries security severity-medium
Projects
None yet
Milestone
5.10.0
Development

No branches or pull requests
1 participant
@Smjert