Your message dated Mon, 11 Aug 2014 16:49:24 +0000
with message-id <[email protected]>
and subject line Bug#752861: fixed in lzo2 2.03-2+deb6u1
has caused the Debian Bug report #752861,
regarding CVE-2014-4607: potential integer overflow, fixed in 2.07
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
752861: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752861
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:lzo2
Version: 2.03-2
Severity: important
Tags: security
>From http://www.oberhumer.com/opensource/lzo/:
|LZO 2.07 has been released:
|
|Fixed a potential integer overflow condition in the "safe" decompressor
|variants which could result in a possible buffer overrun when processing
|maliciously crafted compressed input data.
|
|As this issue only affects 32-bit systems and also can only happen if
|you use uncommonly huge buffer sizes where you have to decompress more
|than 16 MiB (2^24 bytes) compressed bytes within a single function call
|the practical implications are limited.
|
|POTENTIAL SECURITY ISSUE. But then, I personally do not know about any
|client program that actually is affected.
I used the version from oldstable because it seems that all version of
liblzo2 are affected.
http://www.openwall.com/lists/oss-security/2014/06/26/20
Sebastian
--- End Message ---
--- Begin Message ---
Source: lzo2
Source-Version: 2.03-2+deb6u1
We believe that the bug you reported is fixed in the latest version of
lzo2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <[email protected]> (supplier of updated lzo2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 11 Aug 2014 16:38:29 +0200
Source: lzo2
Binary: liblzo2-dev liblzo2-2
Architecture: source amd64
Version: 2.03-2+deb6u1
Distribution: squeeze-lts
Urgency: medium
Maintainer: Peter Eisentraut <[email protected]>
Changed-By: Holger Levsen <[email protected]>
Description:
liblzo2-2 - data compression library
liblzo2-dev - data compression library (development files)
Closes: 752861
Changes:
lzo2 (2.03-2+deb6u1) squeeze-lts; urgency=medium
.
* Non-maintainer upload by the Squeeze LTS Team.
* Add CVE-2014-4607.patch from DSA-2995-1.
CVE-2014-4607: lzo1x_decompress_safe() integer overflow allowing denial
of service or code execution. (Closes: #752861)
Checksums-Sha1:
6282558a098b2b199311b72778f163a2efdd1e44 1675 lzo2_2.03-2+deb6u1.dsc
0db2b1189925a7574975dd7b8a1ba23657881a82 4708 lzo2_2.03-2+deb6u1.debian.tar.gz
225c5776a8d7a66cc447fa5c456dcf02d11199ab 148060
liblzo2-dev_2.03-2+deb6u1_amd64.deb
3b05bb69e6a989b82071db21485e68c583caf735 59606
liblzo2-2_2.03-2+deb6u1_amd64.deb
Checksums-Sha256:
7170811ec034746bbd28382975d310cfeb70e270e2c4acf4e9876bafe57c7424 1675
lzo2_2.03-2+deb6u1.dsc
f0f9848fde2d3d8872ed95a2cc72b31b8ee64fbefada559528297e7b919b5dba 4708
lzo2_2.03-2+deb6u1.debian.tar.gz
010dc78a0eeb826cd2f998d0753232a60b621e0ad9a019a88c6040e1410037bd 148060
liblzo2-dev_2.03-2+deb6u1_amd64.deb
ed3867dd3ca57977d45d7de4c04fb70ded3be5f54922cecfd0196a52ef2ecb17 59606
liblzo2-2_2.03-2+deb6u1_amd64.deb
Files:
ebd3d87fcafc57fe196e98ca26a7643c 1675 libs important lzo2_2.03-2+deb6u1.dsc
92a5978e858b1f70a3b63e7c9412af85 4708 libs important
lzo2_2.03-2+deb6u1.debian.tar.gz
25a9e2af606acca7160763b8f861eaf7 148060 libdevel optional
liblzo2-dev_2.03-2+deb6u1_amd64.deb
1df8df44c847459447bbc02dd7bdf037 59606 libs important
liblzo2-2_2.03-2+deb6u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIVAwUBU+jvzgkauFYGmqocAQjaFQ/+L467UN+I6mniFkQRUXWRNiB+KbDp+Vj+
9sloBcDXHitHnDJ7ApQ15m5df2FZJ/43axs9+tGM7p7RmQ03yYzXfC+WKZY4KPen
vi8PbQRpBQ3v7HaLBwb8ArOydywDK9UX+Qw8RR3cqWKRJ+XRbL7qLtzKNgL0bZaq
LrFXPi/1WQRE4oGnrM0wzOyFqn1x9cWCc75qC5x590u4RM3eFu2+8pGbS4iIp+X7
HEXjnudqMqrDAmLn+Sty/34ipXjBregbXph+xU6vTADQ7G42P4OiurvdremyXOhr
wzw+6oAUxCamRqG3RMglHtIuJ5FILjck2uHshEo55ZznyXH1n412neFWep0eSp4i
vVXazpROwrm9qFvlcjRWNXUvfMzHBASh7SmfMf0CkVXlv5XSek4oYwljBhCdBOcB
rwe956NtPvO9WDY8clO9Xd+9mYA5A0L1LyThzR70HwN1PZUUE+1MvHqSKwObg2WI
fCgsR4NKteN1yeESJ7dASQq1LwymyNC3VurgYKBWBiJ0+T2Rpjb7Wnq+Fxmrfbva
S/Ge1Rj2adeGFcUtyV25YUnCHn9JrdQWKhT3SCGbOG+vI6lUjH0IdlAm/b18k2+k
KgZTtaT/UlqBEsMMsy4i11PQwpm1knd5lxn5g35gHtZ7A6s6itpv31QM1rF0puz9
4EicLyYN0Wg=
=hnrP
-----END PGP SIGNATURE-----
--- End Message ---
