LZO security bug might affect Busybox
Patrick 'P. J.' McDermott
pj+busybox-ml at pehjota.net
Sat Jun 28 17:20:16 UTC 2014
On 2014-06-28 09:33, Isaac Dunham wrote:
> There's an integer overflow in LZO (LMS-2014-06-16-1):
> http://www.openwall.com/lists/oss-security/2014/06/26/20
>
> I suspect that this affects Busybox; the code would be in
> archival/libarchive/lzo1x_d.c
> But I wouldn't be able to verify that or to fix it.
Yes, I believe the copy of libarchive in BusyBox is affected.
The file that defines the vulnerable function is only built if
CONFIG_LZOP is enabled, so disabling that (if enabled) is a temporary
way to avoid the overflow issue.
--
Patrick "P. J." McDermott
http://www.pehjota.net/
Lead Developer, ProteanOS
http://www.proteanos.com/
More information about the busybox
mailing list