Summary: | Kernel: Multiple vulnerabilities in LZO/LZ4 (CVE-2014-{4608,4611}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Kernel | Assignee: | Gentoo Kernel Security <security-kernel> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | kernel |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2014/q2/666 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2014-06-26 20:38:16 UTC
As pointed out in http://seclists.org/oss-sec/2014/q2/682: I think it's worth pointing out that the Linux kernel only introduced LZ4 support in 3.11. This is why from the new kernel.org stable releases yesterday, only 3.14.9 and 3.15.2 contain the LZ4 patch. 3.10.45 and 3.4.95 don't. Some further information is posted in http://seclists.org/oss-sec/2014/q3/9: For the record, -> http://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html Summary: effectively, this post proves that - Exploits can be written against current implementations of LZ4 - Block sizes less than 8MB (and even less than 4MB) can be malicious - Certain platforms are more affected than others (primarily RISC: ARM) - Protecting against the 16MB and greater flaw was not sufficient CVE-2014-4611 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4611): Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4_uncompress function in lib/lz4/lz4_decompress.c in the Linux kernel before 3.15.2, on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation, a different vulnerability than CVE-2014-4715. CVE-2014-4608 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4608): ** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype." |