openSUSE Security Update: Security update for zstd
______________________________________________________________________________
Announcement ID: openSUSE-SU-2019:2008-1
Rating: moderate
References: #1082318 #1133297 #1142941
Cross-References: CVE-2019-11922
Affected Products:
openSUSE Backports SLE-15-SP1
openSUSE Backports SLE-15
______________________________________________________________________________
An update that solves one vulnerability and has two fixes
is now available.
Description:
This update for zstd fixes the following issues:
– Update to version 1.4.2:
* bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)
* bug: Fix seekable decompression in-memory API by @iburinoc (#1695)
* bug: Close minor memory leak in CLI by @LeeYoung624 (#1701)
* misc: Validate blocks are smaller than size limit by @vivekmig (#1685)
* misc: Restructure source files by @ephiepark (#1679)
– Update to version 1.4.1:
* bug: Fix data corruption in niche use cases by @terrelln (#1659)
* bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594,
#1595)
* bug: Fix out of bounds read by @terrelln (#1590)
* perf: Improve decode speed by ~7% @mgrice (#1668)
* perf: Slightly improved compression ratio of level 3 and 4
(ZSTD_dfast) by @cyan4973 (#1681)
* perf: Slightly faster compression speed when re-using a context by
@cyan4973 (#1658)
* perf: Improve compression ratio for small windowLog by @cyan4973
(#1624)
* perf: Faster compression speed in high compression mode for repetitive
data by @terrelln (#1635)
* api: Add parameter to generate smaller dictionaries by @tyler-tran
(#1656)
* cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)
* cli: Expose cpu load indicator for each file on -vv mode by @ephiepark
(#1631)
* cli: Restrict read permissions on destination files by @chungy (#1644)
* cli: zstdgrep: handle -f flag by @felixhandte (#1618)
* cli: zstdcat: follow symlinks by @vejnar (#1604)
* doc: Remove extra size limit on compressed blocks by @felixhandte
(#1689)
* doc: Fix typo by @yk-tanigawa (#1633)
* doc: Improve documentation on streaming buffer sizes by @cyan4973
(#1629)
* build: CMake: support building with LZ4 @leeyoung624 (#1626)
* build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)
* build: CMake: respect existing uninstall target by @j301scott (#1619)
* build: Make: skip multithread tests when built without support by
@michaelforney (#1620)
* build: Make: Fix examples/ test target by @sjnam (#1603)
* build: Meson: rename options out of deprecated namespace by @lzutao
(#1665)
* build: Meson: fix build by @lzutao (#1602)
* build: Visual Studio: don’t export symbols in static lib by @scharan
(#1650)
* build: Visual Studio: fix linking by @absotively (#1639)
* build: Fix MinGW-W64 build by @myzhang1029 (#1600)
* misc: Expand decodecorpus coverage by @ephiepark (#1664)
– Add baselibs.conf: libarchive gained zstd support and provides
-32bit libraries. This means, zstd also needs to provide -32bit libs.
– Update to new upstream release 1.4.0
* perf: level 1 compression speed was improved
* cli: added –[no-]compress-literals flag to enable or disable literal
compression
– Reword “real-time” in description by some actual statistics, because
603MB/s (lowest zstd level) is not “real-time” for quite some
applications.
– zstd 1.3.8:
* better decompression speed on large files (+7%) and cold dictionaries
(+15%)
* slightly better compression ratio at high compression modes
* new –rsyncable mode
* support decompression of empty frames into NULL (used to be an error)
* support ZSTD_CLEVEL environment variable
* –no-progress flag, preserving final summary
* various CLI fixes
* fix race condition in one-pass compression functions that could allow
out of bounds write (CVE-2019-11922, boo#1142941)
– zstd 1.3.7:
* fix ratio for dictionary compression at levels 9 and 10
* add man pages for zstdless and zstdgrep
– includes changes from zstd 1.3.6:
* faster dictionary builder, also the new default for –train
* previous (slower, slightly higher quality) dictionary builder to be
selected via –train-cover
* Faster dictionary decompression and compression under memory limits
with many dictionaries used simultaneously
* New command –adapt for compressed network piping of data adjusted to
the perceived network conditions
– update to 1.3.5:
* much faster dictionary compression
* small quality improvement for dictionary generation
* slightly improved performance at high compression levels
* automatic memory release for long duration contexts
* fix overlapLog can be manually set
* fix decoding invalid lz4 frames
* fix performance degradation for dictionary compression when using
advanced API
– fix pzstd tests
– enable pzstd (parallel zstd)
– Use %license instead of %doc [boo#1082318]
– Add disk _constraints to fix ppc64le build
– Use FAT LTO objects in order to provide proper static library
(boo#1133297).
This update was imported from the openSUSE:Leap:15.0:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
– openSUSE Backports SLE-15-SP1:
zypper in -t patch openSUSE-2019-2008=1
– openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2019-2008=1
Package List:
– openSUSE Backports SLE-15-SP1 (aarch64 ppc64le s390x x86_64):
libzstd-devel-1.4.2-bp151.4.3.1
libzstd-devel-static-1.4.2-bp151.4.3.1
libzstd1-1.4.2-bp151.4.3.1
libzstd1-debuginfo-1.4.2-bp151.4.3.1
zstd-1.4.2-bp151.4.3.1
zstd-debuginfo-1.4.2-bp151.4.3.1
zstd-debugsource-1.4.2-bp151.4.3.1
– openSUSE Backports SLE-15-SP1 (aarch64_ilp32):
libzstd1-64bit-1.4.2-bp151.4.3.1
libzstd1-64bit-debuginfo-1.4.2-bp151.4.3.1
– openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64):
libzstd-devel-1.4.2-bp150.3.3.1
libzstd-devel-static-1.4.2-bp150.3.3.1
libzstd1-1.4.2-bp150.3.3.1
zstd-1.4.2-bp150.3.3.1
– openSUSE Backports SLE-15 (aarch64_ilp32):
libzstd1-64bit-1.4.2-bp150.3.3.1
References:
https://www.suse.com/security/cve/CVE-2019-11922.html
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1133297
https://bugzilla.suse.com/1142941
—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org