Bug 1113870
Summary: | CVE-2014-4611 LZ4: LZ4_decompress_generic() integer overflow [epel-all] | ||
---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Murray McAllister <mmcallis> |
Component: | lz4 | Assignee: | pjp <pj.pandit> |
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | el6 | CC: | pj.pandit, vdanen |
Target Milestone: | --- | Keywords: | Security, SecurityTracking |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-27 20:00:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1112436 |
Description
Murray McAllister
2014-06-27 06:06:08 UTC
Use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. IMPORTANT: ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1112436,1113870 +-- On Fri, 27 Jun 2014 Yann Collet wrote --+ |Hi Prasad | |Nope, latest lz4 release is not affected. | | |Moreover, even the linux kernel implementation is safe, for now. To trigger |the risk, the program calling the lz4 linux kernel implementation must feed |the decoder with blocks of more than 8 MB. None of them is doing that right |now, so it's not exploitable. | |However, it's true that, in the future, maybe one program may wander into |this area. So it's a good thing to update the LZ4 implementation today, |before the risk get potentially exposed by a yet unknown future program. | | |I feel this version of the story should be more widely answered. The current |risk has been overblown. If you have some way to answer to the sec-list |article you linked to, could you please make it known ? In the meantime, I'm |in contact with Greg k-h, to make sure the linux kernel implementation will |get fixed for the next Linux release. | |Best regards | -> http://www.openwall.com/lists/oss-security/2014/06/27/9 |