openSUSE Security Update: Security update for zstd ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:2008-1 Rating: moderate References: #1082318 #1133297 #1142941 Cross-References: CVE-2019-11922 Affected Products: openSUSE Backports SLE-15-SP1 openSUSE Backports SLE-15 ______________________________________________________________________________ An update that solves one vulnerability and has two fixes is now available. Description: This update for zstd fixes the following issues: - Update to version 1.4.2: * bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696) * bug: Fix seekable decompression in-memory API by @iburinoc (#1695) * bug: Close minor memory leak in CLI by @LeeYoung624 (#1701) * misc: Validate blocks are smaller than size limit by @vivekmig (#1685) * misc: Restructure source files by @ephiepark (#1679) - Update to version 1.4.1: * bug: Fix data corruption in niche use cases by @terrelln (#1659) * bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594, #1595) * bug: Fix out of bounds read by @terrelln (#1590) * perf: Improve decode speed by ~7% @mgrice (#1668) * perf: Slightly improved compression ratio of level 3 and 4 (ZSTD_dfast) by @cyan4973 (#1681) * perf: Slightly faster compression speed when re-using a context by @cyan4973 (#1658) * perf: Improve compression ratio for small windowLog by @cyan4973 (#1624) * perf: Faster compression speed in high compression mode for repetitive data by @terrelln (#1635) * api: Add parameter to generate smaller dictionaries by @tyler-tran (#1656) * cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640) * cli: Expose cpu load indicator for each file on -vv mode by @ephiepark (#1631) * cli: Restrict read permissions on destination files by @chungy (#1644) * cli: zstdgrep: handle -f flag by @felixhandte (#1618) * cli: zstdcat: follow symlinks by @vejnar (#1604) * doc: Remove extra size limit on compressed blocks by @felixhandte (#1689) * doc: Fix typo by @yk-tanigawa (#1633) * doc: Improve documentation on streaming buffer sizes by @cyan4973 (#1629) * build: CMake: support building with LZ4 @leeyoung624 (#1626) * build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647) * build: CMake: respect existing uninstall target by @j301scott (#1619) * build: Make: skip multithread tests when built without support by @michaelforney (#1620) * build: Make: Fix examples/ test target by @sjnam (#1603) * build: Meson: rename options out of deprecated namespace by @lzutao (#1665) * build: Meson: fix build by @lzutao (#1602) * build: Visual Studio: don't export symbols in static lib by @scharan (#1650) * build: Visual Studio: fix linking by @absotively (#1639) * build: Fix MinGW-W64 build by @myzhang1029 (#1600) * misc: Expand decodecorpus coverage by @ephiepark (#1664) - Add baselibs.conf: libarchive gained zstd support and provides -32bit libraries. This means, zstd also needs to provide -32bit libs. - Update to new upstream release 1.4.0 * perf: level 1 compression speed was improved * cli: added --[no-]compress-literals flag to enable or disable literal compression - Reword "real-time" in description by some actual statistics, because 603MB/s (lowest zstd level) is not "real-time" for quite some applications. - zstd 1.3.8: * better decompression speed on large files (+7%) and cold dictionaries (+15%) * slightly better compression ratio at high compression modes * new --rsyncable mode * support decompression of empty frames into NULL (used to be an error) * support ZSTD_CLEVEL environment variable * --no-progress flag, preserving final summary * various CLI fixes * fix race condition in one-pass compression functions that could allow out of bounds write (CVE-2019-11922, boo#1142941) - zstd 1.3.7: * fix ratio for dictionary compression at levels 9 and 10 * add man pages for zstdless and zstdgrep - includes changes from zstd 1.3.6: * faster dictionary builder, also the new default for --train * previous (slower, slightly higher quality) dictionary builder to be selected via --train-cover * Faster dictionary decompression and compression under memory limits with many dictionaries used simultaneously * New command --adapt for compressed network piping of data adjusted to the perceived network conditions - update to 1.3.5: * much faster dictionary compression * small quality improvement for dictionary generation * slightly improved performance at high compression levels * automatic memory release for long duration contexts * fix overlapLog can be manually set * fix decoding invalid lz4 frames * fix performance degradation for dictionary compression when using advanced API - fix pzstd tests - enable pzstd (parallel zstd) - Use %license instead of %doc [boo#1082318] - Add disk _constraints to fix ppc64le build - Use FAT LTO objects in order to provide proper static library (boo#1133297). This update was imported from the openSUSE:Leap:15.0:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2019-2008=1 - openSUSE Backports SLE-15: zypper in -t patch openSUSE-2019-2008=1 Package List: - openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64): libzstd-devel-1.4.2-bp151.4.3.1 libzstd-devel-static-1.4.2-bp151.4.3.1 libzstd1-1.4.2-bp151.4.3.1 libzstd1-debuginfo-1.4.2-bp151.4.3.1 zstd-1.4.2-bp151.4.3.1 zstd-debuginfo-1.4.2-bp151.4.3.1 zstd-debugsource-1.4.2-bp151.4.3.1 - openSUSE Backports SLE-15-SP1 (aarch64_ilp32): libzstd1-64bit-1.4.2-bp151.4.3.1 libzstd1-64bit-debuginfo-1.4.2-bp151.4.3.1 - openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64): libzstd-devel-1.4.2-bp150.3.3.1 libzstd-devel-static-1.4.2-bp150.3.3.1 libzstd1-1.4.2-bp150.3.3.1 zstd-1.4.2-bp150.3.3.1 - openSUSE Backports SLE-15 (aarch64_ilp32): libzstd1-64bit-1.4.2-bp150.3.3.1 References: https://www.suse.com/security/cve/CVE-2019-11922.html https://bugzilla.suse.com/1082318 https://bugzilla.suse.com/1133297 https://bugzilla.suse.com/1142941 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org