CVE-2014-4607: potential integer overflow, fixed in 2.07

Debian Bug report logs - #752861
CVE-2014-4607: potential integer overflow, fixed in 2.07

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: submit@bugs.debian.org

Subject: CVE-2014-4607: potential integer overflow, fixed in 2.07

Date: Fri, 27 Jun 2014 09:14:33 +0200

Package: src:lzo2
Version: 2.03-2
Severity: important
Tags: security

From http://www.oberhumer.com/opensource/lzo/:

|LZO 2.07 has been released:
|
|Fixed a potential integer overflow condition in the "safe" decompressor
|variants which could result in a possible buffer overrun when processing
|maliciously crafted compressed input data.
|
|As this issue only affects 32-bit systems and also can only happen if
|you use uncommonly huge buffer sizes where you have to decompress more
|than 16 MiB (2^24 bytes) compressed bytes within a single function call
|the practical implications are limited.
|
|POTENTIAL SECURITY ISSUE. But then, I personally do not know about any
|client program that actually is affected.

I used the version from oldstable because it seems that all version of
liblzo2 are affected.

http://www.openwall.com/lists/oss-security/2014/06/26/20

Sebastian

Message #14 received at 752861@bugs.debian.org (full text, mbox, reply):

From: Johan Ouwerkerk <jm.ouwerkerk@gmail.com>

To: Debian Bug Tracking System <752861@bugs.debian.org>

Subject: liblzo2-2: Please use 2.08 instead of 2.07

Date: Fri, 11 Jul 2014 14:18:19 +0200

Package: liblzo2-2
Version: 2.06-1.2
Followup-For: Bug #752861

Dear Maintainer,

Please use version 2.08 instead of 2.07 of LZO. (Version 2.08 fixes a regression in 2.07 
which prevents cross compilation of the LZO source).


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages liblzo2-2 depends on:
ii  libc6              2.19-5
ii  multiarch-support  2.19-5

liblzo2-2 recommends no packages.

liblzo2-2 suggests no packages.

-- no debconf information

Message #19 received at 752861-close@bugs.debian.org (full text, mbox, reply):

From: Peter Eisentraut <petere@debian.org>

To: 752861-close@bugs.debian.org

Subject: Bug#752861: fixed in lzo2 2.08-1

Date: Tue, 15 Jul 2014 01:33:27 +0000

Source: lzo2
Source-Version: 2.08-1

We believe that the bug you reported is fixed in the latest version of
lzo2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 752861@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Eisentraut <petere@debian.org> (supplier of updated lzo2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 14 Jul 2014 21:03:12 -0400
Source: lzo2
Binary: liblzo2-dev liblzo2-2 liblzo2-2-udeb
Architecture: source i386
Version: 2.08-1
Distribution: unstable
Urgency: low
Maintainer: Peter Eisentraut <petere@debian.org>
Changed-By: Peter Eisentraut <petere@debian.org>
Description:
 liblzo2-2  - data compression library
 liblzo2-2-udeb - data compression library (udeb)
 liblzo2-dev - data compression library (development files)
Closes: 750622 752861
Changes:
 lzo2 (2.08-1) unstable; urgency=low
 .
   * New upstream release (closes: #752861) (CVE-2014-4607)
   * Update standards version
   * Add autotools-dev to build dependencies (closes: #750622)
Checksums-Sha1:
 8c26250ac666f15542541e721466318608c4ebe9 1199 lzo2_2.08-1.dsc
 64c3e44843a44ffc4533aa89e41516f42bfefa76 589045 lzo2_2.08.orig.tar.gz
 d9dfb177678b6d665ab16f7df1f2b562fa9b699b 3780 lzo2_2.08-1.debian.tar.xz
 e6a87b52bff507ae9f456303402a85ccdecdf336 112172 liblzo2-dev_2.08-1_i386.deb
 c3fa61208298a4e30b56c87cd4308f4d44b2aefc 58108 liblzo2-2_2.08-1_i386.deb
 4ba17fec3717415db0cb14c70dacd66eea221e96 44474 liblzo2-2-udeb_2.08-1_i386.udeb
Checksums-Sha256:
 57e7bc40f200ed0c51cae0209195b52d41035582c4ef3b0867d3dd5d9a8d678d 1199 lzo2_2.08-1.dsc
 ac1b3e4dee46febe9fd28737eb7f5692d3232ef1a01da10444394c3d47536614 589045 lzo2_2.08.orig.tar.gz
 f291776c9a39cd468c982705799b64af1ba370f80d78865296cd605cb96107e8 3780 lzo2_2.08-1.debian.tar.xz
 3f2623fe595335801d54ed1577bde55f431a9bd5a3ee2ac0f3e7e70b7d3e1e3b 112172 liblzo2-dev_2.08-1_i386.deb
 b4f3685fd5ba5e2c8c36e57f88eacde9194f8af8a269a7a809b1db5f7e4deb25 58108 liblzo2-2_2.08-1_i386.deb
 fd610551a70c8ae470cca36a5a285009344f47f3e82d7c1300c3aaa7faa59df8 44474 liblzo2-2-udeb_2.08-1_i386.udeb
Files:
 abb95dd52aff3d26c3a356ab5a65595c 112172 libdevel optional liblzo2-dev_2.08-1_i386.deb
 250d4bdc4d1c958b1ea16402715e1683 58108 libs optional liblzo2-2_2.08-1_i386.deb
 ff51a9e37eb7cf68a54a9ec14659416f 44474 debian-installer optional liblzo2-2-udeb_2.08-1_i386.udeb
 3f753312ef3fb8d39de51197b614d912 1199 libs optional lzo2_2.08-1.dsc
 fcec64c26a0f4f4901468f360029678f 589045 libs optional lzo2_2.08.orig.tar.gz
 55ee44272c615c802304b0c4efa52ec3 3780 libs optional lzo2_2.08-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iEYEARECAAYFAlPEfwAACgkQTTx8oVVPtMZkHwCfY6BRQi9iwht2yCfvTrT9ZRpU
XmUAn1u9UCRhPBIXOZ/gfN7sSuErm3wC
=OYt6
-----END PGP SIGNATURE-----

Message #24 received at 752861-close@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: 752861-close@bugs.debian.org

Subject: Bug#752861: fixed in lzo2 2.03-2+deb6u1

Date: Mon, 11 Aug 2014 16:49:24 +0000

Source: lzo2
Source-Version: 2.03-2+deb6u1

We believe that the bug you reported is fixed in the latest version of
lzo2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 752861@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated lzo2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 11 Aug 2014 16:38:29 +0200
Source: lzo2
Binary: liblzo2-dev liblzo2-2
Architecture: source amd64
Version: 2.03-2+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Peter Eisentraut <petere@debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Description: 
 liblzo2-2  - data compression library
 liblzo2-dev - data compression library (development files)
Closes: 752861
Changes: 
 lzo2 (2.03-2+deb6u1) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Add CVE-2014-4607.patch from DSA-2995-1.
     CVE-2014-4607: lzo1x_decompress_safe() integer overflow allowing denial
     of service or code execution. (Closes: #752861)
Checksums-Sha1: 
 6282558a098b2b199311b72778f163a2efdd1e44 1675 lzo2_2.03-2+deb6u1.dsc
 0db2b1189925a7574975dd7b8a1ba23657881a82 4708 lzo2_2.03-2+deb6u1.debian.tar.gz
 225c5776a8d7a66cc447fa5c456dcf02d11199ab 148060 liblzo2-dev_2.03-2+deb6u1_amd64.deb
 3b05bb69e6a989b82071db21485e68c583caf735 59606 liblzo2-2_2.03-2+deb6u1_amd64.deb
Checksums-Sha256: 
 7170811ec034746bbd28382975d310cfeb70e270e2c4acf4e9876bafe57c7424 1675 lzo2_2.03-2+deb6u1.dsc
 f0f9848fde2d3d8872ed95a2cc72b31b8ee64fbefada559528297e7b919b5dba 4708 lzo2_2.03-2+deb6u1.debian.tar.gz
 010dc78a0eeb826cd2f998d0753232a60b621e0ad9a019a88c6040e1410037bd 148060 liblzo2-dev_2.03-2+deb6u1_amd64.deb
 ed3867dd3ca57977d45d7de4c04fb70ded3be5f54922cecfd0196a52ef2ecb17 59606 liblzo2-2_2.03-2+deb6u1_amd64.deb
Files: 
 ebd3d87fcafc57fe196e98ca26a7643c 1675 libs important lzo2_2.03-2+deb6u1.dsc
 92a5978e858b1f70a3b63e7c9412af85 4708 libs important lzo2_2.03-2+deb6u1.debian.tar.gz
 25a9e2af606acca7160763b8f861eaf7 148060 libdevel optional liblzo2-dev_2.03-2+deb6u1_amd64.deb
 1df8df44c847459447bbc02dd7bdf037 59606 libs important liblzo2-2_2.03-2+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBU+jvzgkauFYGmqocAQjaFQ/+L467UN+I6mniFkQRUXWRNiB+KbDp+Vj+
9sloBcDXHitHnDJ7ApQ15m5df2FZJ/43axs9+tGM7p7RmQ03yYzXfC+WKZY4KPen
vi8PbQRpBQ3v7HaLBwb8ArOydywDK9UX+Qw8RR3cqWKRJ+XRbL7qLtzKNgL0bZaq
LrFXPi/1WQRE4oGnrM0wzOyFqn1x9cWCc75qC5x590u4RM3eFu2+8pGbS4iIp+X7
HEXjnudqMqrDAmLn+Sty/34ipXjBregbXph+xU6vTADQ7G42P4OiurvdremyXOhr
wzw+6oAUxCamRqG3RMglHtIuJ5FILjck2uHshEo55ZznyXH1n412neFWep0eSp4i
vVXazpROwrm9qFvlcjRWNXUvfMzHBASh7SmfMf0CkVXlv5XSek4oYwljBhCdBOcB
rwe956NtPvO9WDY8clO9Xd+9mYA5A0L1LyThzR70HwN1PZUUE+1MvHqSKwObg2WI
fCgsR4NKteN1yeESJ7dASQq1LwymyNC3VurgYKBWBiJ0+T2Rpjb7Wnq+Fxmrfbva
S/Ge1Rj2adeGFcUtyV25YUnCHn9JrdQWKhT3SCGbOG+vI6lUjH0IdlAm/b18k2+k
KgZTtaT/UlqBEsMMsy4i11PQwpm1knd5lxn5g35gHtZ7A6s6itpv31QM1rF0puz9
4EicLyYN0Wg=
=hnrP
-----END PGP SIGNATURE-----

Message #29 received at 752861-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 752861-close@bugs.debian.org

Subject: Bug#752861: fixed in lzo2 2.06-1+deb7u1

Date: Sun, 31 Aug 2014 01:47:05 +0000

Source: lzo2
Source-Version: 2.06-1+deb7u1

We believe that the bug you reported is fixed in the latest version of
lzo2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 752861@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated lzo2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 02 Aug 2014 10:37:21 +0200
Source: lzo2
Binary: liblzo2-dev liblzo2-2
Architecture: source amd64
Version: 2.06-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Peter Eisentraut <petere@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 liblzo2-2  - data compression library
 liblzo2-dev - data compression library (development files)
Closes: 752861
Changes: 
 lzo2 (2.06-1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Add CVE-2014-4607.patch patch.
     CVE-2014-4607: lzo1x_decompress_safe() integer overflow allowing denial
     of service or code execution. (Closes: #752861)
Checksums-Sha1: 
 11760fe72d47ea2c23b1ede243a8618968d5f746 1749 lzo2_2.06-1+deb7u1.dsc
 a11768b8a168ec607750842bbef406f11547b904 583045 lzo2_2.06.orig.tar.gz
 68f113e0f5a3ebf4a6270fe1b9b7240219b855b6 4748 lzo2_2.06-1+deb7u1.debian.tar.gz
 477195ee440c0f5b7dadbbd50390f66cbba11b01 150312 liblzo2-dev_2.06-1+deb7u1_amd64.deb
 08a72dab4b95f35449c7522d38faa15cb6ead383 58984 liblzo2-2_2.06-1+deb7u1_amd64.deb
Checksums-Sha256: 
 ebc952e74af129dab589b463f8725e15209760111e81c7a6829f96da1938e80b 1749 lzo2_2.06-1+deb7u1.dsc
 ff79e6f836d62d3f86ef6ce893ed65d07e638ef4d3cb952963471b4234d43e73 583045 lzo2_2.06.orig.tar.gz
 7897926494f53c73a952bf3913e23b44e65a98b3dbeaaa09d1ac5c1f74d92d90 4748 lzo2_2.06-1+deb7u1.debian.tar.gz
 fc36ed0de4626d40a33219f748f0aaefd9558a51ccf1bc05d384a0e42cc2af66 150312 liblzo2-dev_2.06-1+deb7u1_amd64.deb
 7132fe874653504653717a392bc3ee2ab5888134bf2f2c2f1103e42ae0329c2d 58984 liblzo2-2_2.06-1+deb7u1_amd64.deb
Files: 
 250b893a5c29d2fe1891f2ab2920cdf0 1749 libs optional lzo2_2.06-1+deb7u1.dsc
 95380bd4081f85ef08c5209f4107e9f8 583045 libs optional lzo2_2.06.orig.tar.gz
 18a8363b69688258739fd16a3abc5db8 4748 libs optional lzo2_2.06-1+deb7u1.debian.tar.gz
 fcf479c36690150433636774b28018cf 150312 libdevel optional liblzo2-dev_2.06-1+deb7u1_amd64.deb
 773310e702b9baad4b494236e54e1dfe 58984 libs optional liblzo2-2_2.06-1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJT3KRzAAoJEAVMuPMTQ89EDPgP/id36dZpj+tHkG14P/LhA0hb
ocTDxuURLXAyC743E778h9XYZNlikuxYkZj9dLdgN+edSZci876fXkf24KNllHYz
6SQ0zjAH1S+VO/rR7uTPiGuiodmDrU9J5rDB9T/IZV1ezKDANT9jbWsX2MMwCY52
DXR+BXC+0+3IHo+yf92hGYIxF40iwrwa/AwEUS2H5NuMANJOngKwJe7N0FT+mApe
9054ejbPglR/agS7xRqX8uGra8SSZjHvN1GTu7z3pzRVdMwoyYc/7YpAE65aMwld
l4ikUHqs/bw17bZUH0L45INuXQCOK5v1Ah4QhG3Fx2vxq9QDgjFF/7eqzGbK/VrS
UNt3OTPNIXEyV0V4wbgc8lfBTuzJhienafkD3MLyeoENEjCbKEy4yxUopjqmsRYd
GtIvcpEsL97VH06v0GLhTVOU6P72e1LgwJKrJZKi+uW+Wux3mz1obZVOxTxdNqZg
bMHPo3YurO9LfCUbOcpYS2kR+j7cS0lGkVTpsgokDA06eKR3rXINGeBF5K0N8rNu
SdD2wc18lakYuT/GH1JKO2fDh9xgqSlm5yXSc0XB8uuxY1L6m1zNnPmbVhbrtGaL
v1fXMDo87PrOi440Q+kZOjxPtZq12txWDdDE1eA9p8uL0TyvN1LdCgaxPq0oIUiZ
4UTngVCtcun0aCYpMHtE
=rZzJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.