openSUSE Security Update : zstd (openSUSE-2019-1952)

Medium Nessus Plugin ID 128015

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for zstd fixes the following issues :

- Update to version 1.4.2 :

- bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)

- bug: Fix seekable decompression in-memory API by @iburinoc (#1695)

- bug: Close minor memory leak in CLI by @LeeYoung624 (#1701)

- misc: Validate blocks are smaller than size limit by @vivekmig (#1685)

- misc: Restructure source files by @ephiepark (#1679)

- Update to version 1.4.1 :

- bug: Fix data corruption in niche use cases by @terrelln (#1659)

- bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594, #1595)

- bug: Fix out of bounds read by @terrelln (#1590)

- perf: Improve decode speed by ~7% @mgrice (#1668)

- perf: Slightly improved compression ratio of level 3 and 4 (ZSTD_dfast) by @cyan4973 (#1681)

- perf: Slightly faster compression speed when re-using a context by @cyan4973 (#1658)

- perf: Improve compression ratio for small windowLog by @cyan4973 (#1624)

- perf: Faster compression speed in high compression mode for repetitive data by @terrelln (#1635)

- api: Add parameter to generate smaller dictionaries by @tyler-tran (#1656)

- cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)

- cli: Expose cpu load indicator for each file on -vv mode by @ephiepark (#1631)

- cli: Restrict read permissions on destination files by @chungy (#1644)

- cli: zstdgrep: handle -f flag by @felixhandte (#1618)

- cli: zstdcat: follow symlinks by @vejnar (#1604)

- doc: Remove extra size limit on compressed blocks by @felixhandte (#1689)

- doc: Fix typo by @yk-tanigawa (#1633)

- doc: Improve documentation on streaming buffer sizes by @cyan4973 (#1629)

- build: CMake: support building with LZ4 @leeyoung624 (#1626)

- build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)

- build: CMake: respect existing uninstall target by @j301scott (#1619)

- build: Make: skip multithread tests when built without support by @michaelforney (#1620)

- build: Make: Fix examples/ test target by @sjnam (#1603)

- build: Meson: rename options out of deprecated namespace by @lzutao (#1665)

- build: Meson: fix build by @lzutao (#1602)

- build: Visual Studio: don't export symbols in static lib by @scharan (#1650)

- build: Visual Studio: fix linking by @absotively (#1639)

- build: Fix MinGW-W64 build by @myzhang1029 (#1600)

- misc: Expand decodecorpus coverage by @ephiepark (#1664)

- Add baselibs.conf: libarchive gained zstd support and provides

-32bit libraries. This means, zstd also needs to provide
-32bit libs.

- Update to new upstream release 1.4.0

- perf: level 1 compression speed was improved

- cli: added --[no-]compress-literals flag to enable or disable literal compression

- Reword 'real-time' in description by some actual statistics, because 603MB/s (lowest zstd level) is not 'real-time' for quite some applications.

- zstd 1.3.8 :

- better decompression speed on large files (+7%) and cold dictionaries (+15%)

- slightly better compression ratio at high compression modes

- new --rsyncable mode

- support decompression of empty frames into NULL (used to be an error)

- support ZSTD_CLEVEL environment variable

- --no-progress flag, preserving final summary

- various CLI fixes

- fix race condition in one-pass compression functions that could allow out of bounds write (CVE-2019-11922, boo#1142941)

- zstd 1.3.7 :

- fix ratio for dictionary compression at levels 9 and 10

- add man pages for zstdless and zstdgrep

- includes changes from zstd 1.3.6 :

- faster dictionary builder, also the new default for
--train

- previous (slower, slightly higher quality) dictionary builder to be selected via --train-cover

- Faster dictionary decompression and compression under memory limits with many dictionaries used simultaneously

- New command --adapt for compressed network piping of data adjusted to the perceived network conditions

- update to 1.3.5 :

- much faster dictionary compression

- small quality improvement for dictionary generation

- slightly improved performance at high compression levels

- automatic memory release for long duration contexts

- fix overlapLog can be manually set

- fix decoding invalid lz4 frames

- fix performance degradation for dictionary compression when using advanced API

- fix pzstd tests

- enable pzstd (parallel zstd)

- Use %license instead of %doc [boo#1082318]

- Add disk _constraints to fix ppc64le build

- Use FAT LTO objects in order to provide proper static library (boo#1133297).

Solution

Update the affected zstd packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1082318

https://bugzilla.opensuse.org/show_bug.cgi?id=1133297

https://bugzilla.opensuse.org/show_bug.cgi?id=1142941

Plugin Details

Severity: Medium

ID: 128015

File Name: openSUSE-2019-1952.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2019/08/20

Updated: 2019/08/20

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libzstd-devel, p-cpe:/a:novell:opensuse:libzstd-devel-static, p-cpe:/a:novell:opensuse:libzstd1, p-cpe:/a:novell:opensuse:libzstd1-debuginfo, p-cpe:/a:novell:opensuse:zstd, p-cpe:/a:novell:opensuse:zstd-debuginfo, p-cpe:/a:novell:opensuse:zstd-debugsource, cpe:/o:novell:opensuse:15.0

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2019/08/19

Vulnerability Publication Date: 2019/07/25

Reference Information

CVE: CVE-2019-11922