FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2014-4608

This CVE name corresponds to:

Entered Topic
2014-06-26 LZO -- potential buffer overrun when processing malicious input data

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2014-4608 at cve.mitre.org

Details

Type Candidate
Name CVE-2014-4608
Phase Assigned(20140623)

Description

** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype."

References

Source Reference
MLIST [oss-security] 20140626 LMS-2014-06-16-2: Linux Kernel LZO
MISC http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
MISC http://www.oberhumer.com/opensource/lzo/
MISC https://www.securitymouse.com/lms-2014-06-16-2
CONFIRM http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=206a81c18401c0cde6e579164f752c4b147324ce
CONFIRM http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.2
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1113899
CONFIRM https://github.com/torvalds/linux/commit/206a81c18401c0cde6e579164f752c4b147324ce
REDHAT RHSA-2015:0062
SUSE SUSE-SU-2015:0481
SUSE openSUSE-SU-2015:0566
SUSE SUSE-SU-2015:0736
UBUNTU USN-2416-1
UBUNTU USN-2419-1
UBUNTU USN-2420-1
UBUNTU USN-2421-1
UBUNTU USN-2417-1
UBUNTU USN-2418-1
BID 68214
SECUNIA 60011
SECUNIA 60174
SECUNIA 62633

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.