Bug 1115767 (CVE-2014-4715)

Summary: CVE-2014-4715 lz4: LZ4_decompress_generic() integer overflow (32-bit arches)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, anton, aquini, bhu, carnil, davej, dhoward, esammons, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, lwang, madhu.chinakonda, matt, mchehab, mcressma, npajkovs, pholasek, pj.pandit, plougher, ppandit, rt-maint, rvrbovsk, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-07 07:19:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1116362    
Bug Blocks: 1112414    

Description Huzaifa S. Sidhpurwala 2014-07-03 05:07:46 UTC 
Don A. Bailey of Lab Mouse Security reported an integer overflow issue in various implementations of LZO (Lempel–Ziv–Oberhumer) and LZ4 compression algorithms.  The issue is in the handling of "literal runs" during decompression, and can lead to application crash and, possibly, code execution.

The CVE-2014-4715 assignment, from the perspective of the LZ4 product, is for issue 134 fixed in r119:

https://code.google.com/p/lz4/issues/detail?id=134
https://code.google.com/p/lz4/source/detail?r=119
Comment 1 Prasad Pandit 2014-07-04 10:02:38 UTC 
Upstream kernel fix:
--------------------
  -> https://git.kernel.org/linus/4a3a99045177369700c60d074c0e525e8093b0fc
Comment 2 Prasad Pandit 2014-07-04 10:03:27 UTC 
Statement:

This issue does not affect the versions of the kernel package as shipped with
Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.
Comment 3 Prasad Pandit 2014-07-04 10:08:14 UTC 
LZ4 Fedora/EPEL package updates:
--------------------------------
  -> https://admin.fedoraproject.org/updates/lz4-r119-1.fc20
  -> https://admin.fedoraproject.org/updates/lz4-r119-1.fc19
  -> https://admin.fedoraproject.org/updates/lz4-r119-1.el6
  -> https://admin.fedoraproject.org/updates/lz4-r119-1.el5
Comment 4 Prasad Pandit 2014-07-04 10:09:46 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1116362]
Comment 5 Josh Boyer 2014-07-04 14:45:49 UTC 
(In reply to Prasad J Pandit from comment #1)
> Upstream kernel fix:
> --------------------
>   -> https://git.kernel.org/linus/4a3a99045177369700c60d074c0e525e8093b0fc

There's some disagreement and an alternate fix proposed on this:

http://comments.gmane.org/gmane.linux.kernel/1738748