Summary: | <sys-apps/busybox-1.22.1-r1: LZO Denial of Service and Arbitrary Code Execution through embedded code (CVE-2014-4607) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | embedded, hanno, whissi |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.busybox.net/show_bug.cgi?id=7238 | ||
Whiteboard: | A3 [glsa cleanup] | ||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2014-06-26 22:15:11 UTC
Upstream bug filed at https://bugs.busybox.net/show_bug.cgi?id=7238 The upstream bug is has been acted upon and this is "Fixed in git". As far as I can see the commit in question is http://git.busybox.net/busybox/commit/?id=a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 Commit message: Add lzop fix from upstream http://sources.gentoo.org/sys-apps/busybox/busybox-1.22.1-r1.ebuild?rev=1.1 http://sources.gentoo.org/sys-apps/busybox/files/busybox-1.22.1-lzop.patch?rev=1.1 Commit a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3 can also be cherry-picked to 1.20 and 1.21 branches, which are the marked as stable in Gentoo tree. Should we bump those ebuilds too? 1.23.1 (which I just added to the tree) has this fix as well as addressing bug 537978 - (CVE-2014-9645). This issue was resolved and addressed in GLSA 201503-13 at https://security.gentoo.org/glsa/201503-13 by GLSA coordinator Mikle Kolyada (Zlogene). |