Don A. Bailey of Lab Mouse Security reported an integer overflow issue in various implementations of LZO (Lempel–Ziv–Oberhumer) and LZ4 compression algorithms. The issue is in the handling of "literal runs" during decompression, and can lead to application crash and, possibly, code execution. This bug is for LZ4 and LZ4 copy embedded in the Linux kernel (as of version 3.11). This issue can not be triggered on 64bit systems today, as it would require input of the size that is beyond capabilities of modern computers. On 32bit systems, this can only affect applications using sufficiently large decompression blocks (16mb+).
Created lz4 tracking bugs for this issue: Affects: fedora-all [bug 1113869] Affects: epel-all [bug 1113870]
This issue is public: http://seclists.org/oss-sec/2014/q2/669
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1113884]
Statement: Not vulnerable. This issue does not affect the kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise Linux MRG 2.
I believe this is fixed upstream with: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206204a1162b995e2185275167b22468c00d6b36 Which has been backported to the stable kernels with commits: 3.14.y: 5f32449c2863adf190b83402e9a4069cee054f9d 3.15.y: 80fdb886fefbc782195ed2c0bd757ea202e05953
Blog posts from Don A. Bailey, the original reporter of this issue: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html http://blog.securitymouse.com/2014/06/understanding-lz4-memory-corruption.html Reporter's security reports for both LZ4 upstream, and embedded copy as used in the Linux kernel: https://www.securitymouse.com/lms-2014-06-16-6 https://www.securitymouse.com/lms-2014-06-16-5 Feedback from the LZ4 upstream, which indicates there are no application known to be affected by this flaw, as the issue is only exploitable when application uses large decompression blocks (16mb+). LZ4 file format does not allow blocks of such size. http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html http://fastcompression.blogspot.fr/2014/06/lets-move-on.html LZ4 upstream bugs report, an independent report from Ludwig Strigeus, which pre-dates Don A. Bailey's report: https://code.google.com/p/lz4/issues/detail?id=52 LZ4 upstream fix: https://github.com/Cyan4973/lz4/commit/da5373197e84ee49d75b8334d4510689731d6e90 The above fix was applied to LZ4 upstream repository with other changes as part of this commit: https://code.google.com/p/lz4/source/detail?r=118 Test case from the above LZ4 upstream bug report: https://github.com/Cyan4973/lz4/commit/26b82f35#diff-0