Vulnerability Class: Integer Overflow Vulnerability Effect: Memory Corruption Vulnerability Impact: DoS, RCE Vulnerability DoS Practicality: Practical Vulnerability RCE Practicality: Impractical Vulnerability Criticality: High Vulnerability Scope: liblzo1: - All versions of lzo1 are affected liblzo2: - All versions of lzo2 are affected - Except for platforms that set both of the LZO_UNALIGNED_OK_8 and LZO_UNALIGNED_OK_4 preprocessor macros More information in ${URL}
From http://www.oberhumer.com/opensource/lzo/: LZO 2.07 has been released: Fixed a potential integer overflow condition in the "safe" decompressor variants which could result in a possible buffer overrun when processing maliciously crafted compressed input data. As this issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (2^24 bytes) compressed bytes within a single function call, the practical implications are limited.
Just to hilight the matrix of tested arches and versions from ${URL}: Vulnerability Tested: liblzo1: x86_64: vulnerable i386: vulnerable ARM: vulnerable liblzo2: x86_64: not vulnerable i386: vulnerable ARM: vulnerable
Please test and stabilize: =dev-libs/lzo-2.08
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
ia64 stable
ppc64 stable
ppc stable
sparc stable
arm stable, all arches done!
Cleanup, please!
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed.
Maintainer(s), please drop the vulnerable version(s).
Vulnerable versions have been around for two months. Maintaner(s): Please drop affected versions, security will remove in 30 days if no response.
Cleanup done
This issue was resolved and addressed in GLSA 201701-14 at https://security.gentoo.org/glsa/201701-14 by GLSA coordinator Thomas Deutschmann (whissi).
