Bug 1112436 (CVE-2014-4611) - CVE-2014-4611 lz4: LZ4_decompress_generic() integer overflow
Summary: CVE-2014-4611 lz4: LZ4_decompress_generic() integer overflow
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-4611
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1113869 1113870 1113884
Blocks: 1112414
TreeView+ depends on / blocked
 
Reported: 2014-06-24 00:22 UTC by Kurt Seifried
Modified: 2021-02-17 06:27 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-30 04:19:14 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2014-06-24 00:22:34 UTC 
Don A. Bailey of Lab Mouse Security reported an integer overflow issue in various implementations of LZO (Lempel–Ziv–Oberhumer) and LZ4 compression algorithms.  The issue is in the handling of "literal runs" during decompression, and can lead to application crash and, possibly, code execution.

This bug is for LZ4 and LZ4 copy embedded in the Linux kernel (as of version 3.11).

This issue can not be triggered on 64bit systems today, as it would require input of the size that is beyond capabilities of modern computers.  On 32bit systems, this can only affect applications using sufficiently large decompression blocks (16mb+).
Comment 1 Murray McAllister 2014-06-27 06:06:23 UTC 
Created lz4 tracking bugs for this issue:

Affects: fedora-all [bug 1113869]
Affects: epel-all [bug 1113870]
Comment 2 Murray McAllister 2014-06-27 06:06:43 UTC 
This issue is public:

http://seclists.org/oss-sec/2014/q2/669
Comment 3 Petr Matousek 2014-06-27 07:00:22 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1113884]
Comment 4 Petr Matousek 2014-06-27 07:13:37 UTC 
Statement:

Not vulnerable. This issue does not affect the kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise Linux MRG 2.
Comment 5 Josh Boyer 2014-06-27 11:45:22 UTC 
I believe this is fixed upstream with:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206204a1162b995e2185275167b22468c00d6b36

Which has been backported to the stable kernels with commits:

3.14.y: 5f32449c2863adf190b83402e9a4069cee054f9d
3.15.y: 80fdb886fefbc782195ed2c0bd757ea202e05953
Comment 6 Tomas Hoger 2014-06-30 14:35:11 UTC 
Blog posts from Don A. Bailey, the original reporter of this issue:

http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
http://blog.securitymouse.com/2014/06/understanding-lz4-memory-corruption.html

Reporter's security reports for both LZ4 upstream, and embedded copy as used in the Linux kernel:

https://www.securitymouse.com/lms-2014-06-16-6
https://www.securitymouse.com/lms-2014-06-16-5

Feedback from the LZ4 upstream, which indicates there are no application known to be affected by this flaw, as the issue is only exploitable when application uses large decompression blocks (16mb+).  LZ4 file format does not allow blocks of such size.

http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html
http://fastcompression.blogspot.fr/2014/06/lets-move-on.html

LZ4 upstream bugs report, an independent report from Ludwig Strigeus, which pre-dates Don A. Bailey's report:

https://code.google.com/p/lz4/issues/detail?id=52

LZ4 upstream fix:

https://github.com/Cyan4973/lz4/commit/da5373197e84ee49d75b8334d4510689731d6e90

The above fix was applied to LZ4 upstream repository with other changes as part of this commit:

https://code.google.com/p/lz4/source/detail?r=118

Test case from the above LZ4 upstream bug report:

https://github.com/Cyan4973/lz4/commit/26b82f35#diff-0
Note You need to log in before you can comment on or make changes to this bug.