Bug 13943 - liblzo or minilzo bundled within packages, affected by CVE-2014-4607
Summary: liblzo or minilzo bundled within packages, affected by CVE-2014-4607
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Mageia Bug Squad
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/604237/
Whiteboard: MGA3TOO
Depends on: 13933 13934 13944 13945 13947 13956 13957 13958 13959 13960 14001 14047
  Show dependency treegraph
Reported: 2014-08-19 18:44 CEST by David Walser
Modified: 2014-09-15 15:47 CEST (History)
11 users (show)

See Also:
Source RPM:
Status comment:


Description David Walser 2014-08-19 18:44:32 CEST
These packages bundle minilzo.c:
bb blender distcc dump grub2 harbour icecream italc krfb libvncserver mednafen remmina x11vnc

Busybox bundles lzo.

There may be others, but those are the ones I'm aware of.  We fixed CVE-2014-4607 in the system lzo in Bug 13655.  We do not have a system minilzo.

krfb has Bug 13933 filed for it.

harbour has Bug 13934 filed for it.

The rest are in progress...


Steps to Reproduce:
David Walser 2014-08-19 18:44:50 CEST

Depends on: (none) => 13933, 13934

Comment 1 David Walser 2014-08-19 19:24:47 CEST
I got a patch from upstream for Busybox.

For minilzo, the patch Luc applied for krfb (kdenetwork4) in Mageia 3 also applied for libvncserver and remmina.

It does not apply for bb, blender, distcc, dump, grub2, icecream, italc, mednafen, or x11vnc.
Comment 2 David Walser 2014-08-19 19:31:02 CEST
CC'ing Nanar for bb, Funda for blender, Kamil for distcc and x11vnc, Barry for grub2, Anssi and Damien for icecream, Damien and Bersuit and dmorgan also for italc, Rémi for mednafen, and Shlomi also for distcc.

CC: (none) => anssi.hannula, bersuit.vera, dmorganec, fundawang, mageia, n54, nanardon, remi, shlomif, zen25000

David Walser 2014-08-19 19:40:00 CEST

Depends on: (none) => 13944

David Walser 2014-08-19 19:44:23 CEST

Depends on: (none) => 13945

Comment 3 David Walser 2014-08-19 19:45:49 CEST
Filed Bug 13944 for libvncserver and remmina.

Filed Bug 13945 for busybox.

Whiteboard: (none) => MGA4TOO, MGA3TOO

Rémi Verschelde 2014-08-20 00:01:51 CEST

Depends on: (none) => 13947

Comment 4 Rémi Verschelde 2014-08-20 00:02:08 CEST
Filed Bug 13947 for mednafen.
Comment 5 David Walser 2014-08-20 19:31:58 CEST
Barry's patch for harbour works for blender and icecream (had to regenerate it on the mga3 versions).  Those are now committed.

Blender in Cauldron does not build though:

The patch from harbour also worked for italc (had to regenerate it for the mga3/mga4 version).

I was also able to adapt the patch from harbour for grub2.

Still no luck for bb, distcc, dump, or x11vnc.
David Walser 2014-08-20 20:36:01 CEST

Depends on: (none) => 13956

David Walser 2014-08-20 20:36:21 CEST

Depends on: (none) => 13957

David Walser 2014-08-20 20:36:34 CEST

Depends on: (none) => 13958

Comment 6 David Walser 2014-08-20 20:37:25 CEST
Filed Bug 13956 for icecream.

Filed Bug 13957 for grub2.

Filed Bug 13958 for italc.
David Walser 2014-08-20 22:08:05 CEST

Depends on: (none) => 13959

Comment 7 David Walser 2014-08-20 22:12:19 CEST
Found a patch in Fedora for distcc.

Filed Bug 13959 for distcc.
David Walser 2014-08-20 23:17:38 CEST

Depends on: (none) => 13960

Comment 8 David Walser 2014-08-20 23:17:52 CEST
x11vnc is buildable against the system libvncserver (thanks to configure options found in Fedora), so that's been added to Bug 13944.

blender will still need to be fixed to build in Cauldron, but for mga3/mga4 I've pushed it to the build system and filed Bug 13960.

That leaves us with just bb and dump to fix!
Comment 9 David Walser 2014-08-27 21:35:10 CEST
bb is now dropped in Cauldron (and probably unlikely to be fixed in mga3/mga4).

dump is the only remaining issue in Cauldron (besides blender).
David Walser 2014-08-28 15:51:36 CEST

Depends on: (none) => 14001

Comment 10 Oden Eriksson 2014-09-03 09:35:05 CEST
I bumped the bundled lzo-1.08 code to lzo-2.08 in dump. This needs extensive testing.

Please test:

dump-0.4b44-2.1.mga3, dump-0.4b44-3.1.mga4 and dump-0.4b44-4.mga5


CC: (none) => oe

David Walser 2014-09-03 14:55:53 CEST

Depends on: (none) => 14047

Comment 11 David Walser 2014-09-03 14:57:07 CEST
Thanks Oden!

Bug 14047 filed for dump.

All that's left to do in Cauldron is to get blender to build.
Comment 12 David Walser 2014-09-07 02:30:12 CEST
blender-2.71-7.mga5 built in Cauldron (it wasn't easy!).

Now all that's left for this bug is to validate the dump update, and there's also the bb package which is unlikely to be fixed.

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 13 David Walser 2014-09-15 15:47:43 CEST
Ignoring bb; this is as fixed as it's going to be.

Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.