See also bug 515238 regarding the upstream LZO vulnerability reported at http://seclists.org/oss-sec/2014/q2/665. As pointed out in ${URL} several packages contains embedded copies of this code. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected.
Some additional references: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html http://seclists.org/oss-sec/2014/q2/681
Here is a list of all the packages in list format as part of this tracker. Since GLSA for this will be released when all bugs are completed, the users can use the list to see if any updates to the LZO bug have been done. media-video/libav dev-libs/lzo sys-boot/grub sys-apps/busybox sys-boot/syslinux app-emulation/xen app-emulation/xen-tools app-emulation/xen-pvgrub www-client/chromium dev-util/valgrind net-misc/remmina media-gfx/blender x11-misc/x11vnc net-libs/libvncserver net-misc/italc app-arch/dump kde-base/krfb net-analyzer/nfdump media-video/kino media-video/ffmpeg dev-embedded/u-boot-tools app-misc/bb games-emulation/mednafen app-editors/hteditor dev-python/pytables sci-electronics/gtkwave
Just some hints: For packages using lz4 make sure they are using at least r118, see https://github.com/lz4/lz4/releases/tag/r118 For packages using minilzo make sure they are using at least Oberhumer's LZO version 2.07.
