Bug 13945

Summary: busybox new security issue CVE-2014-4607
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lewyssmith, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/604237/
Whiteboard: MGA3TOO has_procedure advisory MGA4-64-OK mga3-32-ok
Source RPM: busybox-1.21.1-3.mga4.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 13943    

Description David Walser 2014-08-19 19:44:06 CEST 
Busybox bundles part of the liblzo code, containing the lzo1x_decompress_safe function, which is affected by CVE-2014-4607.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated busybox packages fix security vulnerability:

An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

Busybox bundles part of the liblzo code, containing the lzo1x_decompress_safe
function, which is affected by this issue.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0290.html
========================

Updated packages in core/updates_testing:
========================
busybox-1.20.2-2.2.mga3
busybox-static-1.20.2-2.2.mga3
busybox-1.21.1-3.1.mga4
busybox-static-1.21.1-3.1.mga4

from SRPMS:
busybox-1.20.2-2.2.mga3.src.rpm
busybox-1.21.1-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-19 19:44:23 CEST

Blocks: (none) => 13943
Whiteboard: (none) => MGA3TOO

Comment 1 Lewis Smith 2014-08-20 22:26:25 CEST 
Testing MGA4 64 real hardware.

Installed busybox from release repos, updated from Updates Testing to:
busybox-1.21.1-3.1.mga4
 $ busybox
lists available commands; with --list-full option shows the normal path for each command. To find help for a command:
 $ busybox <command> -h   or  --help
To run a command, typically:
 $ busybox <command> [options] [FILE]

Tried as many of the related/paired compress/[cat]/uncompress busybox commands as I could find, on a long text file. Annoyingly, the many commands do not cite their compression type, so finding the equivalent CAT or UNcompress command for a given compress one can be guesswork. Curiosity: busybox has no 'compress' for its 'uncompress', nor 'zip' for its 'unzip'; but they both worked on appropriate files compressed directly. All these actions appeared to be OK.

CC: (none) => lewyssmith
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 2 David Walser 2014-08-20 22:29:22 CEST 
To be more clear, only the lzop command in busybox is affected by this update.
Comment 3 claire robinson 2014-08-21 15:42:36 CEST 
Testing complete mga3 32

Needn't be root to do this but it doesn't hurt anything.
Testfile was just a random file.

# ll testfile*
-rw------- 1 root root 262144 Aug 21 14:29 testfile

# busybox lzop testfile

# ll testfile*
-rw------- 1 root root 262198 Aug 21 14:28 testfile.lzo

Compression apparently made it bigger :D

# busybox lzop -d testfile.lzo

# ll testfile
-rw------- 1 root root 262144 Aug 21 14:36 testfile

Tried a few other random commands too such as 'busybox ls', see previous update for examples https://bugs.mageia.org/show_bug.cgi?id=6673#c9

Repeated for busybox-static..

# busybox.static lzop testfile

# ll testfile*
-rw------- 1 root root 262198 Aug 21 14:40 testfile.lzo

# busybox.static lzop -d testfile.lzo

# ll testfile*
-rw------- 1 root root 262144 Aug 21 14:40 testfile

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK mga3-32-ok

Comment 4 claire robinson 2014-08-22 15:38:41 CEST 
Testing completed mga4 64

Just checked lzop
Comment 5 claire robinson 2014-08-22 15:42:48 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-64-OK mga3-32-ok => MGA3TOO has_procedure advisory MGA4-64-OK mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-08-25 10:44:48 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0351.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED