FS#40995 - [gst-libav] CVE-2014-4609 integer overflow / remote code execution via bundled lzo implementation

Attached to Project: Arch Linux
Opened by Daniel Micay (thestinger) - Friday, 27 June 2014, 03:34 GMT
Last edited by Jan Alexander Steffens (heftig) - Saturday, 28 June 2014, 15:37 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Jan Alexander Steffens (heftig)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

This is a vulnerability in libav (and other projects), so it impacts the LZO code that's included in gst-libav.

http://www.openwall.com/lists/oss-security/2014/06/26/22

Background: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
This task depends upon

Closed by  Jan Alexander Steffens (heftig)
Saturday, 28 June 2014, 15:37 GMT
Reason for closing:  Fixed
Additional comments about closing:  gst-libav 1.2.4-2 updated to libav 9.14
Comment by Jan Alexander Steffens (heftig) - Saturday, 28 June 2014, 12:17 GMT
This isn't anything worth rushing to patch.

http://fastcompression.blogspot.fr/2014/06/lets-move-on.html
Comment by Daniel Micay (thestinger) - Saturday, 28 June 2014, 15:08 GMT
  • Field changed: Percent Complete (100% → 0%)
The LZ4 file format protected against this issue due to the block size limitations, but that doesn't apply to the LZO algorithm it was based on. The ffmpeg/libav projects use file formats without a limitation preventing exploitation, it's a real vulnerability with working proof of concept exploits.

Loading...