Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 515246 (CVE-2014-4607)

Summary: [TRACKER] Multiple packages vulnerable to LZO vulnerabilities through embedded code (CVE-2014-4607)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hanno, jackdachef, O01eg
Priority: Normal Keywords: Tracker
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q2/676
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 515234, 515238, 515250, 515256, 515258, 515260, 515262, 515264, 515266, 515268, 515272, 515274, 515276, 515278, 515280, 515282, 515284, 515296, 515300, 515304, 515306    
Bug Blocks:    

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-26 22:03:56 UTC 
See also bug 515238 regarding the upstream LZO vulnerability reported at http://seclists.org/oss-sec/2014/q2/665. As pointed out in ${URL} several packages contains embedded copies of this code.

As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-07-21 23:19:37 UTC 
Here is a list of all the packages in list format as part of this tracker. Since GLSA for this will be released when all bugs are completed, the users can use the list to see if any updates to the LZO bug have been done.

media-video/libav dev-libs/lzo sys-boot/grub sys-apps/busybox sys-boot/syslinux app-emulation/xen app-emulation/xen-tools app-emulation/xen-pvgrub www-client/chromium dev-util/valgrind net-misc/remmina media-gfx/blender x11-misc/x11vnc net-libs/libvncserver net-misc/italc app-arch/dump kde-base/krfb net-analyzer/nfdump media-video/kino media-video/ffmpeg dev-embedded/u-boot-tools app-misc/bb games-emulation/mednafen app-editors/hteditor dev-python/pytables sci-electronics/gtkwave
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 18:42:06 UTC 
Just some hints:

For packages using lz4 make sure they are using at least r118, see https://github.com/lz4/lz4/releases/tag/r118

For packages using minilzo make sure they are using at least Oberhumer's LZO version 2.07.