OpenSuSE has issued an advisory on July 21: http://lists.opensuse.org/opensuse-updates/2014-07/msg00025.html The issue is in LZ4 decompression. The original advisory for this issue is here: http://openwall.com/lists/oss-security/2014/06/26/25 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Thanks for reporting this issue. I don't found the patch, do you know where I can found it please ?
https://build.opensuse.org/package/show/openSUSE:13.1:Update/eet
Fixed with eet-1.7.5-2.1.mga3, eet-1.7.10-1.1.mga4 & eet-1.7.10-2.mga5.
CC: (none) => oe
Thanks Oden. We actually didn't have eet in Cauldron anymore before this (I'm not sure why). I guess it was still in SVN. Hopefully trem will see this and if it was supposed to be dropped, do so properly. Advisory: ======================== Updated eet packages fix security vulnerability: Integer overflow in the LZ4 algorithm implementation on 32-bit platforms might allow context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted Literal Run that would be improperly handled by programs not complying with an API limitation (CVE-2014-4611). The eet package bundles the LZ4 implementation and has been patched to correct this flaw. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4611 http://openwall.com/lists/oss-security/2014/06/26/25 http://lists.opensuse.org/opensuse-updates/2014-07/msg00025.html ======================== Updated packages in core/updates_testing: ======================== eet-1.7.5-2.1.mga3 libeet1-1.7.5-2.1.mga3 libeet-devel-1.7.5-2.1.mga3 eet-1.7.10-1.1.mga4 libeet1-1.7.10-1.1.mga4 libeet-devel-1.7.10-1.1.mga4 from SRPMS: eet-1.7.5-2.1.mga3.src.rpm eet-1.7.10-1.1.mga4.src.rpm
URL: (none) => http://lwn.net/Vulnerabilities/603972/CC: (none) => tremyfrAssignee: tremyfr => qa-bugs
Validating this. See the discussion in the QA meeting: http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30 The advisory still needs to be uploaded. Please push this to core/updates for Mageia 3 and Mageia 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO => MGA3TOO advisory
Installs fine on Mageia 4 32bit, and the "eet" command produces some output. Good enough for an already validated update.
Whiteboard: MGA3TOO advisory => MGA3TOO MGA4-32-OK advisory
Made sure it installs in Mageia 3 32bit.
Whiteboard: MGA3TOO MGA4-32-OK advisory => MGA3TOO MGA3-32-OK MGA4-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0321.html
Status: NEW => RESOLVEDResolution: (none) => FIXED