CVE-2020-36846

NameCVE-2020-36846
DescriptionA buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library.  Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libio-compress-brotli-perl (PTS)forky, sid, trixie0.004001-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libio-compress-brotli-perlsource(unstable)(not affected)

Notes

- libio-compress-brotli-perl <not-affected> (Debian package uses the system library from the initial packaging)
https://lists.security.metacpan.org/cve-announce/msg/30005245/
https://github.com/google/brotli/pull/826
https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52
Marked exceptionally as not-affected as the Debian packaging uses the
system library since the beginning.
Search for package or bug name: Reporting problems