Bug 13959 - distcc new security issue CVE-2014-4607
Summary: distcc new security issue CVE-2014-4607
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/604237/
Whiteboard: MGA3TOO has_procedure advisory MGA3-3...
Keywords: validated_update
Depends on:
Blocks: 13943
  Show dependency treegraph
 
Reported: 2014-08-20 22:07 CEST by David Walser
Modified: 2014-09-01 12:44 CEST (History)
3 users (show)

See Also:
Source RPM: distcc-3.2rc1-5.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-08-20 22:07:57 CEST
distcc bundles minilzo, which is affected by the CVE-2014-4607 issue from the LZO library.

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated distcc packages fix security vulnerability:

An integer overflow in liblzo before 2.07 allows attackers to cause a denial
of service or possibly code execution in applications using performing LZO
decompression on a compressed payload from the attacker (CVE-2014-4607).

The distcc package is built with a bundled copy of minilzo, which is a
part of liblzo containing the vulnerable code.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://advisories.mageia.org/MGASA-2014-0290.html
========================

Updated packages in core/updates_testing:
========================
distcc-3.2rc1-3.1.mga3
distcc-server-3.2rc1-3.1.mga3
distcc-3.2rc1-5.1.mga4
distcc-server-3.2rc1-5.1.mga4

from SRPMS:
distcc-3.2rc1-3.1.mga3.src.rpm
distcc-3.2rc1-5.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-08-20 22:08:05 CEST

Blocks: (none) => 13943
Whiteboard: (none) => MGA3TOO

Comment 1 Rémi Verschelde 2014-08-23 14:03:55 CEST
distcc is a tool to distribution a compilation over a network. So to test it one needs at least two machines connected to each other.

Some instructions on how to set it up: http://distcc.googlecode.com/svn/trunk/doc/web/index.html

CC: (none) => remi

Comment 2 Damyan Dimitrov 2014-08-29 14:03:48 CEST
The packages distcc and distcc-server are updating cleanly on both releases and both architectures.

CC: (none) => damyan.dimitrov
Whiteboard: MGA3TOO => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 3 claire robinson 2014-08-30 15:31:28 CEST
Well done Damyan. Don't forget to validate any which is ready.

Validating this one now. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2014-09-01 12:44:39 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0362.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.