Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 515246 (CVE-2014-4607) - [TRACKER] Multiple packages vulnerable to LZO vulnerabilities through embedded code (CVE-2014-4607)
Summary: [TRACKER] Multiple packages vulnerable to LZO vulnerabilities through embedde...
Status: RESOLVED FIXED
Alias: CVE-2014-4607
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2014/q2/676
Whiteboard:
Keywords: Tracker
Depends on: CVE-2014-4609 515238 515250 515256 515258 515260 515262 515264 515266 515268 515272 515274 515276 515278 515280 CVE-2014-4610 515284 515296 515300 515304 515306
Blocks:
  Show dependency tree
 
Reported: 2014-06-26 22:03 UTC by Kristian Fiskerstrand
Modified: 2018-05-20 15:13 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand gentoo-dev Security 2014-06-26 22:03:56 UTC
See also bug 515238 regarding the upstream LZO vulnerability reported at http://seclists.org/oss-sec/2014/q2/665. As pointed out in ${URL} several packages contains embedded copies of this code.

As such we ask maintainers with packages suspected to be vulnerable to verify if the package is (or have been) affected.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2014-07-21 23:19:37 UTC
Here is a list of all the packages in list format as part of this tracker. Since GLSA for this will be released when all bugs are completed, the users can use the list to see if any updates to the LZO bug have been done.

media-video/libav dev-libs/lzo sys-boot/grub sys-apps/busybox sys-boot/syslinux app-emulation/xen app-emulation/xen-tools app-emulation/xen-pvgrub www-client/chromium dev-util/valgrind net-misc/remmina media-gfx/blender x11-misc/x11vnc net-libs/libvncserver net-misc/italc app-arch/dump kde-base/krfb net-analyzer/nfdump media-video/kino media-video/ffmpeg dev-embedded/u-boot-tools app-misc/bb games-emulation/mednafen app-editors/hteditor dev-python/pytables sci-electronics/gtkwave
Comment 3 Thomas Deutschmann gentoo-dev Security 2016-11-22 18:42:06 UTC
Just some hints:

For packages using lz4 make sure they are using at least r118, see https://github.com/lz4/lz4/releases/tag/r118

For packages using minilzo make sure they are using at least Oberhumer's LZO version 2.07.