On 2014-06-28 09:33, Isaac Dunham wrote: > There's an integer overflow in LZO (LMS-2014-06-16-1): > http://www.openwall.com/lists/oss-security/2014/06/26/20 > > I suspect that this affects Busybox; the code would be in > archival/libarchive/lzo1x_d.c > But I wouldn't be able to verify that or to fix it.
Yes, I believe the copy of libarchive in BusyBox is affected. The file that defines the vulnerable function is only built if CONFIG_LZOP is enabled, so disabling that (if enabled) is a temporary way to avoid the overflow issue. -- Patrick "P. J." McDermott http://www.pehjota.net/ Lead Developer, ProteanOS http://www.proteanos.com/ _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
