Don A. Bailey of securitymouse.com reports: Vulnerability Description ------------------------- An integer overflow may occur when processing any variant of a "literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes. This exposes the code that copies literals to memory corruption. It should be noted that if the target is 64bit liblzo2, the overflow is still possible, but impractical. An overflow would require so much input data that an attack would be infeasible even in modern computers. This issue is LAZARUS.1
This is now public: http://seclists.org/oss-sec/2014/q2/665
Created lzo tracking bugs for this issue: Affects: fedora-all [bug 1113874] Affects: epel-5 [bug 1113875]
References: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html https://www.securitymouse.com/lms-2014-06-16-1 http://fastcompression.blogspot.fr/2014/06/debunking-lz4-20-years-old-bug-myth.html
This issue affects the version of lzo as shipped with Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 7 only support 64-bit architectures. Since exploiting this issue on 64-bit platforms is not feasible given the amount of input data that is necessary to trigger the integer overflow, we are currently not planning planning to fix this issue in Red Hat Enterprise Linux 7.
This issue is fixed in lzo-2.0.7. Upstream mentions the following on its website: Fixed a potential integer overflow condition in the "safe" decompressor variants which could result in a possible buffer overrun when processing maliciously crafted compressed input data. POTENTIAL SECURITY ISSUE. CVE-2014-4607. All users are recommended to upgrade immediately. Fortunately this issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (> 2^24 bytes) untrusted compressed bytes within a single function call, so the practical implications are limited. Also I personally do not know about any client program that uses such a huge logical block size and actually is affected. http://www.oberhumer.com/opensource/lzo/#news
Created attachment 913398 [details] Backported patch Backport from lzo-2.07.
Created attachment 913482 [details] Backported patch
Acknowledgements: Red Hat would like to thank Don A. Bailey from Lab Mouse Security for reporting this issue.
IssueDescription: An integer overflow flaw was found in the way the lzo library decompressed certain archives compressed with the LZO algorithm. An attacker could create a specially crafted LZO-compressed input that, when decompressed by an application using the lzo library, would cause that application to crash or, potentially, execute arbitrary code.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:0861 https://rhn.redhat.com/errata/RHSA-2014-0861.html
The kdenetwork package may be affected, as it includes krfb: http://www.kde.org/info/security/advisory-20140803-1.txt
krfb-4.13.3-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
krfb-4.11.5-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Created remmina tracking bugs for this issue: Affects: fedora-all [bug 1131796]
Created icecream tracking bugs for this issue: Affects: fedora-all [bug 1131794] Affects: epel-all [bug 1131795]
Created distcc tracking bugs for this issue: Affects: fedora-all [bug 1131791] Affects: epel-6 [bug 1131792]
Created grub2 tracking bugs for this issue: Affects: fedora-all [bug 1131793]
Created krfb tracking bugs for this issue: Affects: fedora-all [bug 1131789]
Created blender tracking bugs for this issue: Affects: fedora-all [bug 1131790]
According to https://bugs.mageia.org/show_bug.cgi?id=13943 a number of other packages may embed lzo. I checked the build logs for the above bugs and believe they do embed it.
Hi Murray, I believe you missed the dump package. I checked the dump-debuginfo package in Fedora Rawhide and found these files, which suggests that the bundled minilzo is indeed built: /usr/src/debug/dump-0.4b44/compat/lib/minilzo.c /usr/src/debug/dump-0.4b44/compat/include/minilzo.h /usr/src/debug/dump-0.4b44/compat/include/lzoconf.h
Created dump tracking bugs for this issue: Affects: fedora-all [bug 1132282]
(In reply to David Walser from comment #29) > Hi Murray, > > I believe you missed the dump package. I checked the dump-debuginfo package > in Fedora Rawhide and found these files, which suggests that the bundled > minilzo is indeed built: > /usr/src/debug/dump-0.4b44/compat/lib/minilzo.c > /usr/src/debug/dump-0.4b44/compat/include/minilzo.h > /usr/src/debug/dump-0.4b44/compat/include/lzoconf.h I did miss it, thank you!
distcc-3.2rc1-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
distcc-3.2rc1-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
distcc-3.2rc1-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
icecream-1.0.1-8.20140822git.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
icecream-1.0.1-8.20140822git.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
icecream-1.0.1-8.20140822git.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
grub2-2.02-0.13.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
grub2-2.00-27.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
grub2-2.00-27.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
dump-0.4-0.24.b44.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.