openSUSE Security Update: Security update for zstd
______________________________________________________________________________

Announcement ID: openSUSE-SU-2019:1952-1
Rating: moderate
References: #1082318 #1133297 #1142941
Cross-References: CVE-2019-11922
Affected Products:
openSUSE Leap 15.0
______________________________________________________________________________

An update that solves one vulnerability and has two fixes
is now available.

Description:

This update for zstd fixes the following issues:

– Update to version 1.4.2:
* bug: Fix bug in zstd-0.5 decoder by @terrelln (#1696)
* bug: Fix seekable decompression in-memory API by @iburinoc (#1695)
* bug: Close minor memory leak in CLI by @LeeYoung624 (#1701)
* misc: Validate blocks are smaller than size limit by @vivekmig (#1685)
* misc: Restructure source files by @ephiepark (#1679)

– Update to version 1.4.1:
* bug: Fix data corruption in niche use cases by @terrelln (#1659)
* bug: Fuzz legacy modes, fix uncovered bugs by @terrelln (#1593, #1594,
#1595)
* bug: Fix out of bounds read by @terrelln (#1590)
* perf: Improve decode speed by ~7% @mgrice (#1668)
* perf: Slightly improved compression ratio of level 3 and 4
(ZSTD_dfast) by @cyan4973 (#1681)
* perf: Slightly faster compression speed when re-using a context by
@cyan4973 (#1658)
* perf: Improve compression ratio for small windowLog by @cyan4973
(#1624)
* perf: Faster compression speed in high compression mode for repetitive
data by @terrelln (#1635)
* api: Add parameter to generate smaller dictionaries by @tyler-tran
(#1656)
* cli: Recognize symlinks when built in C99 mode by @felixhandte (#1640)
* cli: Expose cpu load indicator for each file on -vv mode by @ephiepark
(#1631)
* cli: Restrict read permissions on destination files by @chungy (#1644)
* cli: zstdgrep: handle -f flag by @felixhandte (#1618)
* cli: zstdcat: follow symlinks by @vejnar (#1604)
* doc: Remove extra size limit on compressed blocks by @felixhandte
(#1689)
* doc: Fix typo by @yk-tanigawa (#1633)
* doc: Improve documentation on streaming buffer sizes by @cyan4973
(#1629)
* build: CMake: support building with LZ4 @leeyoung624 (#1626)
* build: CMake: install zstdless and zstdgrep by @leeyoung624 (#1647)
* build: CMake: respect existing uninstall target by @j301scott (#1619)
* build: Make: skip multithread tests when built without support by
@michaelforney (#1620)
* build: Make: Fix examples/ test target by @sjnam (#1603)
* build: Meson: rename options out of deprecated namespace by @lzutao
(#1665)
* build: Meson: fix build by @lzutao (#1602)
* build: Visual Studio: don’t export symbols in static lib by @scharan
(#1650)
* build: Visual Studio: fix linking by @absotively (#1639)
* build: Fix MinGW-W64 build by @myzhang1029 (#1600)
* misc: Expand decodecorpus coverage by @ephiepark (#1664)

– Add baselibs.conf: libarchive gained zstd support and provides
-32bit libraries. This means, zstd also needs to provide -32bit libs.

– Update to new upstream release 1.4.0
* perf: level 1 compression speed was improved
* cli: added –[no-]compress-literals flag to enable or disable literal
compression
– Reword “real-time” in description by some actual statistics, because
603MB/s (lowest zstd level) is not “real-time” for quite some
applications.

– zstd 1.3.8:
* better decompression speed on large files (+7%) and cold dictionaries
(+15%)
* slightly better compression ratio at high compression modes
* new –rsyncable mode
* support decompression of empty frames into NULL (used to be an error)
* support ZSTD_CLEVEL environment variable
* –no-progress flag, preserving final summary
* various CLI fixes
* fix race condition in one-pass compression functions that could allow
out of bounds write (CVE-2019-11922, boo#1142941)

– zstd 1.3.7:
* fix ratio for dictionary compression at levels 9 and 10
* add man pages for zstdless and zstdgrep
– includes changes from zstd 1.3.6:
* faster dictionary builder, also the new default for –train
* previous (slower, slightly higher quality) dictionary builder to be
selected via –train-cover
* Faster dictionary decompression and compression under memory limits
with many dictionaries used simultaneously
* New command –adapt for compressed network piping of data adjusted to
the perceived network conditions

– update to 1.3.5:
* much faster dictionary compression
* small quality improvement for dictionary generation
* slightly improved performance at high compression levels
* automatic memory release for long duration contexts
* fix overlapLog can be manually set
* fix decoding invalid lz4 frames
* fix performance degradation for dictionary compression when using
advanced API

– fix pzstd tests
– enable pzstd (parallel zstd)

– Use %license instead of %doc [boo#1082318]
– Add disk _constraints to fix ppc64le build
– Use FAT LTO objects in order to provide proper static library
(boo#1133297).

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

– openSUSE Leap 15.0:

zypper in -t patch openSUSE-2019-1952=1

Package List:

– openSUSE Leap 15.0 (x86_64):

libzstd-devel-1.4.2-lp150.2.3.1
libzstd-devel-static-1.4.2-lp150.2.3.1
libzstd1-1.4.2-lp150.2.3.1
libzstd1-debuginfo-1.4.2-lp150.2.3.1
zstd-1.4.2-lp150.2.3.1
zstd-debuginfo-1.4.2-lp150.2.3.1
zstd-debugsource-1.4.2-lp150.2.3.1

References:

https://www.suse.com/security/cve/CVE-2019-11922.html
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1133297
https://bugzilla.suse.com/1142941

—
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org