Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 515234 (CVE-2014-4609) - <media-video/libav-9.14: Vulnerability in LZO (CVE-2014-4609)
Summary: <media-video/libav-9.14: Vulnerability in LZO (CVE-2014-4609)
Alias: CVE-2014-4609
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 516208
Blocks: CVE-2014-4607 516206
  Show dependency tree
Reported: 2014-06-26 20:42 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2015-02-07 20:49 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-26 20:42:52 UTC
Researcher Name: Don A. Bailey
Researcher Organization: Lab Mouse Security
Researcher Email: donb at
Researcher Website:

Vulnerability Status: Patched
Vulnerability Embargo: Broken

Vulnerability Class: Integer Overflow
Vulnerability Effect: Memory Corruption
Vulnerability Impact: DoS, OOW, RCE
Vulnerability DoS Practicality: Practical
Vulnerability OOW Practicality: Practical
Vulnerability RCE Practicality: Practical
Vulnerability Criticality: Critical

Vulnerability Scope:
All versions of libav are affected.
All architectures supported by libav are affected.

Criticality Reasoning
This vulnerability can be triggered through a compression payload embedded
in a video file. Due to the nature of this memory corruption vulnerability,
exploitation of the bug can be seamless and work in the background during
normal video playback. A user will never notice that playback has been

Testing was successfully performed on all variants of mplayer2, including
gecko-mplayer2 embedded in Firefox, Iceweasel, Opera, Chromium, and Konqueror
on Linux.

Ease of compromise is partly due to libav's use of tmalloc, which places
a header containing function pointers at the beginning of allocated heap
regions. Exploitation of the compression vulnerability overwrites these
function pointers, which then point to ROP payloads that allow for the
bypassing of ASLR and NX security enhancements.

See more details in ${URL}
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-28 10:51:05 UTC
We are happy to update three release branches: Today, we provide you with Libav 10.2, Libav 9.14, and Libav 0.8.13, which address a number of critical functional and security issues that we have been made aware of. In particular, these releases address the recently discovered LZO issue.
Comment 2 Agostino Sarubbo gentoo-dev 2014-07-15 09:14:44 UTC
Arches please test and mark stable:
target keywords :"alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-07-15 09:16:33 UTC
(In reply to Agostino Sarubbo from comment #2)
> Arches please test and mark stable:
> =media-video/libav-9.14
> target keywords :"alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

and =virtual/ffmpeg-9 where is required.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-07-18 20:14:53 UTC
With the blockers gone, please proceed with stabilization, same as comment #3
Comment 5 Agostino Sarubbo gentoo-dev 2014-07-23 11:02:48 UTC
amd64 stable as part of the stabilization of gnome 3.12 in bug #512012
Comment 6 Agostino Sarubbo gentoo-dev 2014-07-28 14:04:17 UTC
x86 stable as part of the stabilization of gnome 3.12 in bug #512012

ppc stable as part of the stabilization of gnome 3.12 in bug #512012
Comment 7 Tobias Klausmann gentoo-dev 2014-07-31 14:41:04 UTC
Actual stabilization list for Alpha:

Comment 8 Markus Meier gentoo-dev 2014-08-06 20:24:44 UTC
arm stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-08 09:40:39 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2014-08-09 10:49:07 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-10 09:21:00 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-10 09:30:50 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2014-08-17 05:42:33 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version.

GLSA Vote: No
Comment 14 Agostino Sarubbo gentoo-dev 2014-09-02 09:04:36 UTC
Cleanup done
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-09-03 19:59:48 UTC
This is part of the Master GLSA for LZO vulnerabilities.

Adding to existing GLSA.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-02-07 20:49:57 UTC
This issue was resolved and addressed in
 GLSA 201502-08 at
by GLSA coordinator Kristian Fiskerstrand (K_F).