[
https://issues.apache.org/jira/browse/KAFKA-17301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mickael Maison resolved KAFKA-17301.
------------------------------------
Resolution: Duplicate
In KAFKA-19951 we switch to a new fork that is maintained. Closing
> lz4-java is not maintained anymore
> ----------------------------------
>
> Key: KAFKA-17301
> URL: https://issues.apache.org/jira/browse/KAFKA-17301
> Project: Kafka
> Issue Type: Task
> Reporter: Mickael Maison
> Priority: Major
>
> lz4-java has not made a release since June 2021. It still depends on lz4
> 1.9.3 which has a critical (however it does not seem exploitable in our case)
> CVE: [CVE-2021-3520|https://nvd.nist.gov/vuln/detail/CVE-2021-3520].
> Looking at the fix in lz4
> (https://github.com/lz4/lz4/commit/7a966c1511816b53ac93aa2f2a2ff97e036a4a60),
> it now ensures that outputSize is not negative.
> The Kafka code that reaches this logic is
> https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/compress/Lz4BlockInputStream.java#L185-L186.
> The outputSize argument in the lz4 logic comes from blockSize in
> https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/compress/Lz4BlockInputStream.java#L185-L186.
> Just above we ensure blockSize is positive by anding it with the 2
> complement of LZ4_FRAME_INCOMPRESSIBLE_MASK which is Integer.MIN_VALUE, so
> even if we read a negative block size it's forced to a positive value.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
