Summary: | [TRACKER] Multiple packages vulnerable to LZO vulnerabilities through embedded code (CVE-2014-4607) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | hanno, jackdachef, O01eg |
Priority: | Normal | Keywords: | Tracker |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/oss-sec/2014/q2/676 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 515234, 515238, 515250, 515256, 515258, 515260, 515262, 515264, 515266, 515268, 515272, 515274, 515276, 515278, 515280, 515282, 515284, 515296, 515300, 515304, 515306 | ||
Bug Blocks: |
Description
Kristian Fiskerstrand (RETIRED)
2014-06-26 22:03:56 UTC
Some additional references: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html http://seclists.org/oss-sec/2014/q2/681 Here is a list of all the packages in list format as part of this tracker. Since GLSA for this will be released when all bugs are completed, the users can use the list to see if any updates to the LZO bug have been done. media-video/libav dev-libs/lzo sys-boot/grub sys-apps/busybox sys-boot/syslinux app-emulation/xen app-emulation/xen-tools app-emulation/xen-pvgrub www-client/chromium dev-util/valgrind net-misc/remmina media-gfx/blender x11-misc/x11vnc net-libs/libvncserver net-misc/italc app-arch/dump kde-base/krfb net-analyzer/nfdump media-video/kino media-video/ffmpeg dev-embedded/u-boot-tools app-misc/bb games-emulation/mednafen app-editors/hteditor dev-python/pytables sci-electronics/gtkwave Just some hints: For packages using lz4 make sure they are using at least r118, see https://github.com/lz4/lz4/releases/tag/r118 For packages using minilzo make sure they are using at least Oberhumer's LZO version 2.07. |