oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-47436: Apache ORC: Potential Heap Buffer Overflow during C++ LZO Decompression

From: Dongjoon Hyun <dongjoon () apache org>
Date: Tue, 13 May 2025 14:31:24 +0000
Affected versions:

- Apache ORC through 1.8.8
- Apache ORC 1.9.0 through 1.9.5
- Apache ORC 2.0.0 through 2.0.4
- Apache ORC 2.1.0 through 2.1.1

Description:

Heap-based Buffer Overflow vulnerability in Apache ORC.

A vulnerability has been identified in the ORC C++ LZO decompression logic, where specially crafted malformed ORC files 
can cause the decompressor to allocate a 250-byte buffer but then attempts to copy 295 bytes into it. It causes memory 
corruption.

This issue affects Apache ORC C++ library: through 1.8.8, from 1.9.0 through 1.9.5, from 2.0.0 through 2.0.4, from 
2.1.0 through 2.1.1.

Users are recommended to upgrade to version 1.8.9, 1.9.6, 2.0.5, and 2.1.2, which fix the issue.

This issue is being tracked as ORC-1879 

Credit:

Jason Villaluna (reporter)

References:

https://orc.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-47436
https://issues.apache.org/jira/browse/ORC-1879
Previous By Date Next
Previous By Thread Next

Current thread: