It is suspected that this package is vulnerable to a security vulnerability in LZO. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. Please see the information contained in the tracker bug 515246. "An integer overflow may occur when processing any variant of a "literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes.", additional information about the upstream vulnerability is available at http://seclists.org/oss-sec/2014/q2/665
'bb' is a standalone ascii-art demo program. It does not receive lzo streams from outside, thus should not be vulnerable. Don't know which status to set. But I've unbundled lzo and pushed update anyway: > *bb-1.3.0_rc1-r3 (30 Jun 2014) > > 30 Jun 2014; Sergei Trofimovich <slyfox@gentoo.org> +bb-1.3.0_rc1-r3.ebuild: > Unbundle minilzo (bug #515286) Thanks!
> > But I've unbundled lzo and pushed update anyway: > > > *bb-1.3.0_rc1-r3 (30 Jun 2014) Thank you. If you can remove the vulnerable version we will be all set.
> If you can remove the vulnerable version we will be all set. Sure. Done as: > 01 Jul 2014; Sergei Trofimovich <slyfox@gentoo.org> -bb-1.3.0_rc1-r2.ebuild: > Removed old version with bundled buggy lzo library (bug #515286).
Maintainer(s), Thank you for cleanup! No GLSA needed as there are no stable versions.