Bug 7238 - minilzo: Embedded LZO vulnerability (CVE-2014-4607)
Summary: minilzo: Embedded LZO vulnerability (CVE-2014-4607)
Status: RESOLVED FIXED
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: PC Windows
: P5 minor
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-27 17:14 UTC by Kristian Fiskerstrand
Modified: 2014-06-30 11:30 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand 2014-06-27 17:14:59 UTC 
Hi, 

A security issue was raised[0] regarding implementation of LZO which is fixed
in Oberhumer's LZO version 2.07 and allocated CVE-2014-4607. Further it is
suggested that buzybox might be affected to this vulnerability by embedding a
version of the affected code (minilzo)[1]. It would be appreciated to get a
comment on the applicability and a possible fix for this issue. 

References: 
[0] http://seclists.org/oss-sec/2014/q2/665
[1] http://seclists.org/oss-sec/2014/q2/676
Comment 1 Denys Vlasenko 2014-06-30 11:30:41 UTC 
Fixed in git