[Bug 7238] New: minilzo: Embedded LZO vulnerability (CVE-2014-4607)

bugzilla at busybox.net bugzilla at busybox.net
Fri Jun 27 17:15:00 UTC 2014


https://bugs.busybox.net/show_bug.cgi?id=7238

           Summary: minilzo: Embedded LZO vulnerability (CVE-2014-4607)
           Product: Busybox
           Version: unspecified
          Platform: PC
        OS/Version: Windows
            Status: NEW
          Severity: minor
          Priority: P5
         Component: Other
        AssignedTo: unassigned at busybox.net
        ReportedBy: kf at sumptuouscapital.com
                CC: busybox-cvs at busybox.net
   Estimated Hours: 0.0


Hi, 

A security issue was raised[0] regarding implementation of LZO which is fixed
in Oberhumer's LZO version 2.07 and allocated CVE-2014-4607. Further it is
suggested that buzybox might be affected to this vulnerability by embedding a
version of the affected code (minilzo)[1]. It would be appreciated to get a
comment on the applicability and a possible fix for this issue. 

References: 
[0] http://seclists.org/oss-sec/2014/q2/665
[1] http://seclists.org/oss-sec/2014/q2/676

-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the busybox-cvs mailing list