Your message dated Sun, 31 Aug 2014 01:47:05 +0000
with message-id <[email protected]>
and subject line Bug#752861: fixed in lzo2 2.06-1+deb7u1
has caused the Debian Bug report #752861,
regarding CVE-2014-4607: potential integer overflow, fixed in 2.07
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
752861: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752861
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:lzo2
Version: 2.03-2
Severity: important
Tags: security
>From http://www.oberhumer.com/opensource/lzo/:
|LZO 2.07 has been released:
|
|Fixed a potential integer overflow condition in the "safe" decompressor
|variants which could result in a possible buffer overrun when processing
|maliciously crafted compressed input data.
|
|As this issue only affects 32-bit systems and also can only happen if
|you use uncommonly huge buffer sizes where you have to decompress more
|than 16 MiB (2^24 bytes) compressed bytes within a single function call
|the practical implications are limited.
|
|POTENTIAL SECURITY ISSUE. But then, I personally do not know about any
|client program that actually is affected.
I used the version from oldstable because it seems that all version of
liblzo2 are affected.
http://www.openwall.com/lists/oss-security/2014/06/26/20
Sebastian
--- End Message ---
--- Begin Message ---
Source: lzo2
Source-Version: 2.06-1+deb7u1
We believe that the bug you reported is fixed in the latest version of
lzo2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated lzo2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 Aug 2014 10:37:21 +0200
Source: lzo2
Binary: liblzo2-dev liblzo2-2
Architecture: source amd64
Version: 2.06-1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Peter Eisentraut <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
liblzo2-2 - data compression library
liblzo2-dev - data compression library (development files)
Closes: 752861
Changes:
lzo2 (2.06-1+deb7u1) wheezy-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add CVE-2014-4607.patch patch.
CVE-2014-4607: lzo1x_decompress_safe() integer overflow allowing denial
of service or code execution. (Closes: #752861)
Checksums-Sha1:
11760fe72d47ea2c23b1ede243a8618968d5f746 1749 lzo2_2.06-1+deb7u1.dsc
a11768b8a168ec607750842bbef406f11547b904 583045 lzo2_2.06.orig.tar.gz
68f113e0f5a3ebf4a6270fe1b9b7240219b855b6 4748 lzo2_2.06-1+deb7u1.debian.tar.gz
477195ee440c0f5b7dadbbd50390f66cbba11b01 150312
liblzo2-dev_2.06-1+deb7u1_amd64.deb
08a72dab4b95f35449c7522d38faa15cb6ead383 58984
liblzo2-2_2.06-1+deb7u1_amd64.deb
Checksums-Sha256:
ebc952e74af129dab589b463f8725e15209760111e81c7a6829f96da1938e80b 1749
lzo2_2.06-1+deb7u1.dsc
ff79e6f836d62d3f86ef6ce893ed65d07e638ef4d3cb952963471b4234d43e73 583045
lzo2_2.06.orig.tar.gz
7897926494f53c73a952bf3913e23b44e65a98b3dbeaaa09d1ac5c1f74d92d90 4748
lzo2_2.06-1+deb7u1.debian.tar.gz
fc36ed0de4626d40a33219f748f0aaefd9558a51ccf1bc05d384a0e42cc2af66 150312
liblzo2-dev_2.06-1+deb7u1_amd64.deb
7132fe874653504653717a392bc3ee2ab5888134bf2f2c2f1103e42ae0329c2d 58984
liblzo2-2_2.06-1+deb7u1_amd64.deb
Files:
250b893a5c29d2fe1891f2ab2920cdf0 1749 libs optional lzo2_2.06-1+deb7u1.dsc
95380bd4081f85ef08c5209f4107e9f8 583045 libs optional lzo2_2.06.orig.tar.gz
18a8363b69688258739fd16a3abc5db8 4748 libs optional
lzo2_2.06-1+deb7u1.debian.tar.gz
fcf479c36690150433636774b28018cf 150312 libdevel optional
liblzo2-dev_2.06-1+deb7u1_amd64.deb
773310e702b9baad4b494236e54e1dfe 58984 libs optional
liblzo2-2_2.06-1+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJT3KRzAAoJEAVMuPMTQ89EDPgP/id36dZpj+tHkG14P/LhA0hb
ocTDxuURLXAyC743E778h9XYZNlikuxYkZj9dLdgN+edSZci876fXkf24KNllHYz
6SQ0zjAH1S+VO/rR7uTPiGuiodmDrU9J5rDB9T/IZV1ezKDANT9jbWsX2MMwCY52
DXR+BXC+0+3IHo+yf92hGYIxF40iwrwa/AwEUS2H5NuMANJOngKwJe7N0FT+mApe
9054ejbPglR/agS7xRqX8uGra8SSZjHvN1GTu7z3pzRVdMwoyYc/7YpAE65aMwld
l4ikUHqs/bw17bZUH0L45INuXQCOK5v1Ah4QhG3Fx2vxq9QDgjFF/7eqzGbK/VrS
UNt3OTPNIXEyV0V4wbgc8lfBTuzJhienafkD3MLyeoENEjCbKEy4yxUopjqmsRYd
GtIvcpEsL97VH06v0GLhTVOU6P72e1LgwJKrJZKi+uW+Wux3mz1obZVOxTxdNqZg
bMHPo3YurO9LfCUbOcpYS2kR+j7cS0lGkVTpsgokDA06eKR3rXINGeBF5K0N8rNu
SdD2wc18lakYuT/GH1JKO2fDh9xgqSlm5yXSc0XB8uuxY1L6m1zNnPmbVhbrtGaL
v1fXMDo87PrOi440Q+kZOjxPtZq12txWDdDE1eA9p8uL0TyvN1LdCgaxPq0oIUiZ
4UTngVCtcun0aCYpMHtE
=rZzJ
-----END PGP SIGNATURE-----
--- End Message ---
