Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 515286

Summary: <app-misc/bb-1.3.0_rc1-r3: LZO Denial of Service and Arbitrary Code Execution through embedded code
Product: Gentoo Security Reporter: Yury German <blueknight>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: slyfox
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://seclists.org/oss-sec/2014/q2/676
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Yury German Gentoo Infrastructure gentoo-dev 2014-06-27 01:16:38 UTC 
It is suspected that this package is vulnerable to a security vulnerability in LZO. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. 

Please see the information contained in the tracker bug 515246. "An integer overflow may occur when processing any variant of a "literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes.", additional information about the upstream vulnerability is available at http://seclists.org/oss-sec/2014/q2/665
Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev 2014-06-30 14:29:39 UTC 
'bb' is a standalone ascii-art demo program.
It does not receive lzo streams from outside,
thus should not be vulnerable.

Don't know which status to set.

But I've unbundled lzo and pushed update anyway:

> *bb-1.3.0_rc1-r3 (30 Jun 2014)
>
>  30 Jun 2014; Sergei Trofimovich <slyfox@gentoo.org> +bb-1.3.0_rc1-r3.ebuild:
>  Unbundle minilzo (bug #515286)

Thanks!
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-07-01 15:19:05 UTC 
> 
> But I've unbundled lzo and pushed update anyway:
> 
> > *bb-1.3.0_rc1-r3 (30 Jun 2014)

Thank you.
If you can remove the vulnerable version we will be all set.
Comment 3 Sergei Trofimovich (RETIRED) gentoo-dev 2014-07-01 20:15:37 UTC 
> If you can remove the vulnerable version we will be all set.

Sure. Done as:

> 01 Jul 2014; Sergei Trofimovich <slyfox@gentoo.org> -bb-1.3.0_rc1-r2.ebuild:
> Removed old version with bundled buggy lzo library (bug #515286).
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-07-21 23:32:47 UTC 
Maintainer(s), Thank you for cleanup!

No GLSA needed as there are no stable versions.