It is suspected that this package is vulnerable to a security vulnerability in LZO. As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected. Please see the information contained in the tracker bug 515246. "An integer overflow may occur when processing any variant of a "literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes.", additional information about the upstream vulnerability is available at http://seclists.org/oss-sec/2014/q2/665
From changelog: 3.3.61 27jun14 Parameterized number of named markers, so that --enable-manymarkers at configure time allows up to 702 named markers instead of 26 (disabled by default). Updated LZ4 for version r118. Fixed broken VCD/TIM export in Windows (broken by new file requester). ...and r118 is the version containing the fix, see https://github.com/lz4/lz4/commit/da5373197e84ee49d75b8334d4510689731d6e90 v3.3.64 was the first version containing the fix which landed in tree, https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/sci-electronics/gtkwave/gtkwave-3.3.64.ebuild?hideattic=0&view=log =sci-electronics/gtkwave-3.3.68 is the current stable version so nothing left to do for us. @ Security: Please vote!
GLSA Vote: No