Ubuntu
brotli package

libbrotli1 upgrade to 1.0.9 due to security

Bug #1978821 reported by Robert
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
brotli (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

The latest version on 18.04 is 1.0.3-1ubuntu1

The git repo at https://github.com/google/brotli says
> Please consider updating brotli to version 1.0.9 (latest).
>
> Version 1.0.9 contains a fix to "integer overflow" problem. This happens when "one-shot" decoding > API is used (or input chunk for streaming API is not limited), input size (chunk size) is larger > than 2GiB, and input contains uncompressed blocks. After the overflow happens, memcpy is invoked > with a gigantic num value, that will likely cause the crash.

CVE References

Robert (robrwo)
affects: curl (Ubuntu) → brotli (Ubuntu)
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Changed in brotli (Ubuntu):
status: New → Confirmed
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I'm making this bug public, since the issue is listed on a public page.

Curiously, I could not find a CVE for this issue.

Revision history for this message
Robert (robrwo) wrote :

It's CVE-2020-8927

Apparently the earlier versions of Brotli have been patched, see https://usn.ubuntu.com/4568-1/

Still, it's confusing to see an earlier version and be unsure whether it was patched or not. I would think that a change from 1.0.3 or 1.0.7 to 1.0.9 would be safe.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Ah yes, that CVE was fixed in all our releases, so I am marking this bug as invalid. Thanks!

Changed in brotli (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.