Bug 1112418 (CVE-2014-4607)
Summary: | CVE-2014-4607 lzo: lzo1x_decompress_safe() integer overflow | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | agrover, bcl, carnil, fdc, gwync, hobbes1069, huzaifas, jgrulich, jochen, jreznik, jrusnack, jskarvad, kevin, kwizart, lkundrak, ltinkl, luigiwalser, mads, mmcallis, mschmidt, negativo17, nmavrogi, pahan, phracek, pjones, pmatouse, promac, rdieter, rnovacek, security-response-team, smparrish, steve, than | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: |
An integer overflow flaw was found in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an application using the lzo library, would cause that application to crash or, potentially, execute arbitrary code.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-07-10 04:35:18 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1112539, 1112540, 1112541, 1112542, 1112927, 1112928, 1113874, 1113875, 1131789, 1131790, 1131791, 1131792, 1131793, 1131794, 1131795, 1131796, 1132282 | ||||||||
Bug Blocks: | 1112414 | ||||||||
Attachments: |
|
Description
Kurt Seifried
2014-06-23 22:55:47 UTC
This is now public: http://seclists.org/oss-sec/2014/q2/665 Created lzo tracking bugs for this issue: Affects: fedora-all [bug 1113874] Affects: epel-5 [bug 1113875] References: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html https://www.securitymouse.com/lms-2014-06-16-1 http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html This issue affects the version of lzo as shipped with Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 7 only support 64-bit architectures. Since exploiting this issue on 64-bit platforms is not feasible given the amount of input data that is necessary to trigger the integer overflow, we are currently not planning planning to fix this issue in Red Hat Enterprise Linux 7. This issue is fixed in lzo-2.0.7. Upstream mentions the following on its website: Fixed a potential integer overflow condition in the "safe" decompressor variants which could result in a possible buffer overrun when processing maliciously crafted compressed input data. POTENTIAL SECURITY ISSUE. CVE-2014-4607. All users are recommended to upgrade immediately. Fortunately this issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (> 2^24 bytes) untrusted compressed bytes within a single function call, so the practical implications are limited. Also I personally do not know about any client program that uses such a huge logical block size and actually is affected. http://www.oberhumer.com/opensource/lzo/#news Created attachment 913398 [details]
Backported patch
Backport from lzo-2.07.
Created attachment 913482 [details]
Backported patch
Acknowledgements: Red Hat would like to thank Don A. Bailey from Lab Mouse Security for reporting this issue. IssueDescription: An integer overflow flaw was found in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an application using the lzo library, would cause that application to crash or, potentially, execute arbitrary code. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:0861 https://rhn.redhat.com/errata/RHSA-2014-0861.html The kdenetwork package may be affected, as it includes krfb: http://www.kde.org/info/security/advisory-20140803-1.txt krfb-4.13.3-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. krfb-4.11.5-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Created remmina tracking bugs for this issue: Affects: fedora-all [bug 1131796] Created icecream tracking bugs for this issue: Affects: fedora-all [bug 1131794] Affects: epel-all [bug 1131795] Created distcc tracking bugs for this issue: Affects: fedora-all [bug 1131791] Affects: epel-6 [bug 1131792] Created grub2 tracking bugs for this issue: Affects: fedora-all [bug 1131793] Created krfb tracking bugs for this issue: Affects: fedora-all [bug 1131789] Created blender tracking bugs for this issue: Affects: fedora-all [bug 1131790] According to https://bugs.mageia.org/show_bug.cgi?id=13943 a number of other packages may embed lzo. I checked the build logs for the above bugs and believe they do embed it. Hi Murray, I believe you missed the dump package. I checked the dump-debuginfo package in Fedora Rawhide and found these files, which suggests that the bundled minilzo is indeed built: /usr/src/debug/dump-0.4b44/compat/lib/minilzo.c /usr/src/debug/dump-0.4b44/compat/include/minilzo.h /usr/src/debug/dump-0.4b44/compat/include/lzoconf.h Created dump tracking bugs for this issue: Affects: fedora-all [bug 1132282] (In reply to David Walser from comment #29) > Hi Murray, > > I believe you missed the dump package. I checked the dump-debuginfo package > in Fedora Rawhide and found these files, which suggests that the bundled > minilzo is indeed built: > /usr/src/debug/dump-0.4b44/compat/lib/minilzo.c > /usr/src/debug/dump-0.4b44/compat/include/minilzo.h > /usr/src/debug/dump-0.4b44/compat/include/lzoconf.h I did miss it, thank you! distcc-3.2rc1-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. distcc-3.2rc1-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. distcc-3.2rc1-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. icecream-1.0.1-8.20140822git.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. icecream-1.0.1-8.20140822git.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. icecream-1.0.1-8.20140822git.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. grub2-2.02-0.13.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. grub2-2.00-27.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. grub2-2.00-27.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. dump-0.4-0.24.b44.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |