Bug#768945: busybox lzo implementation suffers from CVE-2014-4607 flaw

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#768945: busybox lzo implementation suffers from CVE-2014-4607 flaw
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Mon, 10 Nov 2014 13:57:59 +0400
Message-id: <[🔎] 20141110105759.26128.19795.reportbug@gandalf.local>
Reply-to: Michael Tokarev <mjt@tls.msk.ru>, 768945@bugs.debian.org

Source: busybox
Version: 1:1.22.0-5
Severity: serious
Tags: security patch upstream fixed-upstream

Busybox embeds mini-lzo library implementation which suffers
from CVE-2014-4607 -- integer overflow with memory corruption
potential and a risk of (remote) code execution, see
http://www.openwall.com/lists/oss-security/2014/06/26/20 for
details.

This flaw has been fixed in busybox upstream in commit
a9dc7c2f59dc5e92870d2d46316ea5c1f14740e3.

/mjt

Reply to:

Follow-Ups:
- Bug#768945: marked as done (busybox lzo implementation suffers from CVE-2014-4607 flaw)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#768657: [Pkg-sysvinit-devel] Bug#768657: sysvinit: Please provide xen virtual console in inittab
Next by Date: Processed: tagging 768945
Previous by thread: Bug#768657: [Pkg-sysvinit-devel] Bug#768657: sysvinit: Please provide xen virtual console in inittab
Next by thread: Bug#768945: marked as done (busybox lzo implementation suffers from CVE-2014-4607 flaw)
Index(es):
- Date
- Thread