Busybox bundles part of the liblzo code, containing the lzo1x_decompress_safe function, which is affected by CVE-2014-4607. Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated busybox packages fix security vulnerability: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607). Busybox bundles part of the liblzo code, containing the lzo1x_decompress_safe function, which is affected by this issue. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607 http://advisories.mageia.org/MGASA-2014-0290.html ======================== Updated packages in core/updates_testing: ======================== busybox-1.20.2-2.2.mga3 busybox-static-1.20.2-2.2.mga3 busybox-1.21.1-3.1.mga4 busybox-static-1.21.1-3.1.mga4 from SRPMS: busybox-1.20.2-2.2.mga3.src.rpm busybox-1.21.1-3.1.mga4.src.rpm Reproducible: Steps to Reproduce:
Blocks: (none) => 13943Whiteboard: (none) => MGA3TOO
Testing MGA4 64 real hardware. Installed busybox from release repos, updated from Updates Testing to: busybox-1.21.1-3.1.mga4 $ busybox lists available commands; with --list-full option shows the normal path for each command. To find help for a command: $ busybox <command> -h or --help To run a command, typically: $ busybox <command> [options] [FILE] Tried as many of the related/paired compress/[cat]/uncompress busybox commands as I could find, on a long text file. Annoyingly, the many commands do not cite their compression type, so finding the equivalent CAT or UNcompress command for a given compress one can be guesswork. Curiosity: busybox has no 'compress' for its 'uncompress', nor 'zip' for its 'unzip'; but they both worked on appropriate files compressed directly. All these actions appeared to be OK.
CC: (none) => lewyssmithWhiteboard: MGA3TOO => MGA3TOO MGA4-64-OK
To be more clear, only the lzop command in busybox is affected by this update.
Testing complete mga3 32 Needn't be root to do this but it doesn't hurt anything. Testfile was just a random file. # ll testfile* -rw------- 1 root root 262144 Aug 21 14:29 testfile # busybox lzop testfile # ll testfile* -rw------- 1 root root 262198 Aug 21 14:28 testfile.lzo Compression apparently made it bigger :D # busybox lzop -d testfile.lzo # ll testfile -rw------- 1 root root 262144 Aug 21 14:36 testfile Tried a few other random commands too such as 'busybox ls', see previous update for examples https://bugs.mageia.org/show_bug.cgi?id=6673#c9 Repeated for busybox-static.. # busybox.static lzop testfile # ll testfile* -rw------- 1 root root 262198 Aug 21 14:40 testfile.lzo # busybox.static lzop -d testfile.lzo # ll testfile* -rw------- 1 root root 262144 Aug 21 14:40 testfile
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK mga3-32-ok
Testing completed mga4 64 Just checked lzop
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA4-64-OK mga3-32-ok => MGA3TOO has_procedure advisory MGA4-64-OK mga3-32-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0351.html
Status: NEW => RESOLVEDResolution: (none) => FIXED