Summary: | <dev-libs/lzo-2.08: LZO Denial of Service and arbitrary code execution (CVE-2014-4607) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | binki, hanno, mgorny |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2014/q2/665 | ||
Whiteboard: | A3 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 374699, 515246 |
Description
Kristian Fiskerstrand (RETIRED)
2014-06-26 20:53:42 UTC
From http://www.oberhumer.com/opensource/lzo/: LZO 2.07 has been released: Fixed a potential integer overflow condition in the "safe" decompressor variants which could result in a possible buffer overrun when processing maliciously crafted compressed input data. As this issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (2^24 bytes) compressed bytes within a single function call, the practical implications are limited. Just to hilight the matrix of tested arches and versions from ${URL}: Vulnerability Tested: liblzo1: x86_64: vulnerable i386: vulnerable ARM: vulnerable liblzo2: x86_64: not vulnerable i386: vulnerable ARM: vulnerable Please test and stabilize: =dev-libs/lzo-2.08 Stable for HPPA. amd64 stable x86 stable alpha stable ia64 stable ppc64 stable ppc stable sparc stable arm stable, all arches done! Cleanup, please! Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). Vulnerable versions have been around for two months. Maintaner(s): Please drop affected versions, security will remove in 30 days if no response. Cleanup done This issue was resolved and addressed in GLSA 201701-14 at https://security.gentoo.org/glsa/201701-14 by GLSA coordinator Thomas Deutschmann (whissi). |