Bug 7238

Summary: minilzo: Embedded LZO vulnerability (CVE-2014-4607)
Product: Busybox Reporter: Kristian Fiskerstrand <kf>
Component: OtherAssignee: unassigned
Status: RESOLVED FIXED    
Severity: minor CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Windows   
Host: Target:
Build:

Description Kristian Fiskerstrand 2014-06-27 17:14:59 UTC 
Hi, 

A security issue was raised[0] regarding implementation of LZO which is fixed
in Oberhumer's LZO version 2.07 and allocated CVE-2014-4607. Further it is
suggested that buzybox might be affected to this vulnerability by embedding a
version of the affected code (minilzo)[1]. It would be appreciated to get a
comment on the applicability and a possible fix for this issue. 

References: 
[0] http://seclists.org/oss-sec/2014/q2/665
[1] http://seclists.org/oss-sec/2014/q2/676
Comment 1 Denys Vlasenko 2014-06-30 11:30:41 UTC 
Fixed in git