FS#40992 : [linux-lts] CVE-2014-4608, CVE-2014-4611, LZO/LZ4 vulnerability

FS#40992 - [linux-lts] CVE-2014-4608, CVE-2014-4611, LZO/LZ4 vulnerability

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Friday, 27 June 2014, 03:25 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 28 June 2014, 12:55 GMT

Task Type	Bug Report
Category	Packages: Core
Status	Closed
Assigned To	No-one
Architecture	All
Severity	Critical
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Daniel Micay (thestinger) (2014-06-27)
Private	No

Details

CVE-2014-4608 (LZO): http://www.openwall.com/lists/oss-security/2014/06/26/21
CVE-2014-4611 (LZ4): http://www.openwall.com/lists/oss-security/2014/06/26/24

The LZO issue is fixed by 3.15.2 and 3.10.45. The LZ4 issue is fixed by 3.15.2, but I don't see it in the changelog for 3.10.45...

Background: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html

This task depends upon

Closed by Doug Newgard (Scimmia)
Saturday, 28 June 2014, 12:55 GMT
Reason for closing: Fixed
Additional comments about closing: 3.15.2-1 in testing

Comment by Daniel Micay (thestinger) - Friday, 27 June 2014, 03:45 GMT

At this time, the patch-3.15.2.xz file is also missing so the full source tarball needs to be downloaded.

Changing the _srcname variable to linux-3.15.2 and commenting out the upstream patch line / source file is enough.

Comment by Tobias Powalowski (tpowa) - Friday, 27 June 2014, 08:57 GMT

3.15.2 in [testing]

Comment by Bartłomiej Piotrowski (Barthalion) - Friday, 27 June 2014, 18:48 GMT

So is 3.10.45. Any reason to keep it open?

Comment by Daniel Micay (thestinger) - Friday, 27 June 2014, 21:29 GMT

LZ4 was introduced in 3.11 so this is fixed.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#40992 - [linux-lts] CVE-2014-4608, CVE-2014-4611, LZO/LZ4 vulnerability

Details

Loading...