Bug 13945 - busybox new security issue CVE-2014-4607
Summary: busybox new security issue CVE-2014-4607
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/604237/
Whiteboard: MGA3TOO has_procedure advisory MGA4-6...
Keywords: validated_update
Depends on:
Blocks: 13943
  Show dependency treegraph
Reported: 2014-08-19 19:44 CEST by David Walser
Modified: 2014-08-25 10:44 CEST (History)
2 users (show)

See Also:
Source RPM: busybox-1.21.1-3.mga4.src.rpm
Status comment:


Description David Walser 2014-08-19 19:44:06 CEST
Busybox bundles part of the liblzo code, containing the lzo1x_decompress_safe function, which is affected by CVE-2014-4607.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.


Updated busybox packages fix security vulnerability:

An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

Busybox bundles part of the liblzo code, containing the lzo1x_decompress_safe
function, which is affected by this issue.


Updated packages in core/updates_testing:

from SRPMS:


Steps to Reproduce:
David Walser 2014-08-19 19:44:23 CEST

Blocks: (none) => 13943
Whiteboard: (none) => MGA3TOO

Comment 1 Lewis Smith 2014-08-20 22:26:25 CEST
Testing MGA4 64 real hardware.

Installed busybox from release repos, updated from Updates Testing to:
 $ busybox
lists available commands; with --list-full option shows the normal path for each command. To find help for a command:
 $ busybox <command> -h   or  --help
To run a command, typically:
 $ busybox <command> [options] [FILE]

Tried as many of the related/paired compress/[cat]/uncompress busybox commands as I could find, on a long text file. Annoyingly, the many commands do not cite their compression type, so finding the equivalent CAT or UNcompress command for a given compress one can be guesswork. Curiosity: busybox has no 'compress' for its 'uncompress', nor 'zip' for its 'unzip'; but they both worked on appropriate files compressed directly. All these actions appeared to be OK.

CC: (none) => lewyssmith
Whiteboard: MGA3TOO => MGA3TOO MGA4-64-OK

Comment 2 David Walser 2014-08-20 22:29:22 CEST
To be more clear, only the lzop command in busybox is affected by this update.
Comment 3 claire robinson 2014-08-21 15:42:36 CEST
Testing complete mga3 32

Needn't be root to do this but it doesn't hurt anything.
Testfile was just a random file.

# ll testfile*
-rw------- 1 root root 262144 Aug 21 14:29 testfile

# busybox lzop testfile

# ll testfile*
-rw------- 1 root root 262198 Aug 21 14:28 testfile.lzo

Compression apparently made it bigger :D

# busybox lzop -d testfile.lzo

# ll testfile
-rw------- 1 root root 262144 Aug 21 14:36 testfile

Tried a few other random commands too such as 'busybox ls', see previous update for examples https://bugs.mageia.org/show_bug.cgi?id=6673#c9

Repeated for busybox-static..

# busybox.static lzop testfile

# ll testfile*
-rw------- 1 root root 262198 Aug 21 14:40 testfile.lzo

# busybox.static lzop -d testfile.lzo

# ll testfile*
-rw------- 1 root root 262144 Aug 21 14:40 testfile

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO has_procedure MGA4-64-OK mga3-32-ok

Comment 4 claire robinson 2014-08-22 15:38:41 CEST
Testing completed mga4 64

Just checked lzop
Comment 5 claire robinson 2014-08-22 15:42:48 CEST
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates


Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA4-64-OK mga3-32-ok => MGA3TOO has_procedure advisory MGA4-64-OK mga3-32-ok
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2014-08-25 10:44:48 CEST
An update for this issue has been pushed to Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.