Bug 1112436 (CVE-2014-4611)
| Summary: | CVE-2014-4611 lz4: LZ4_decompress_generic() integer overflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agordeev, anton, aquini, bhu, davej, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, mmcallis, npajkovs, pholasek, pj.pandit, plougher, pmatouse, rt-maint, rvrbovsk, security-response-team, williams |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-30 04:19:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1113869, 1113870, 1113884 | ||
| Bug Blocks: | 1112414 | ||
|
Description
Kurt Seifried
2014-06-24 00:22:34 UTC
Created lz4 tracking bugs for this issue: Affects: fedora-all [bug 1113869] Affects: epel-all [bug 1113870] This issue is public: http://seclists.org/oss-sec/2014/q2/669 Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1113884] Statement: Not vulnerable. This issue does not affect the kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise Linux MRG 2. I believe this is fixed upstream with: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206204a1162b995e2185275167b22468c00d6b36 Which has been backported to the stable kernels with commits: 3.14.y: 5f32449c2863adf190b83402e9a4069cee054f9d 3.15.y: 80fdb886fefbc782195ed2c0bd757ea202e05953 Blog posts from Don A. Bailey, the original reporter of this issue: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html http://blog.securitymouse.com/2014/06/understanding-lz4-memory-corruption.html Reporter's security reports for both LZ4 upstream, and embedded copy as used in the Linux kernel: https://www.securitymouse.com/lms-2014-06-16-6 https://www.securitymouse.com/lms-2014-06-16-5 Feedback from the LZ4 upstream, which indicates there are no application known to be affected by this flaw, as the issue is only exploitable when application uses large decompression blocks (16mb+). LZ4 file format does not allow blocks of such size. http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html http://fastcompression.blogspot.fr/2014/06/lets-move-on.html LZ4 upstream bugs report, an independent report from Ludwig Strigeus, which pre-dates Don A. Bailey's report: https://code.google.com/p/lz4/issues/detail?id=52 LZ4 upstream fix: https://github.com/Cyan4973/lz4/commit/da5373197e84ee49d75b8334d4510689731d6e90 The above fix was applied to LZ4 upstream repository with other changes as part of this commit: https://code.google.com/p/lz4/source/detail?r=118 Test case from the above LZ4 upstream bug report: https://github.com/Cyan4973/lz4/commit/26b82f35#diff-0 |