Bugzilla – Bug 883947
VUL-0: CVE-2014-4607: lzo: DoS or possible RCE by allowing an attacker to change controllflow
Last modified: 2014-09-01 10:01:26 UTC
CVE-2014-4607. Still embargoed and no CRD given, but this will probably change very soon since some reports leaked. Report ID: LMS-2014-06-16-1 Report Code Name: LAZARUS.1 Researcher Name: Don A. Bailey Vulnerability Scope: liblzo1: - All versions of lzo1 are affected liblzo2: - All versions of lzo2 are affected - Except for platforms that set both of the LZO_UNALIGNED_OK_8 and LZO_UNALIGNED_OK_4 preprocessor macros Vulnerability Tested: liblzo1: x86_64: vulnerable i386: vulnerable ARM: vulnerable liblzo2: x86_64: not vulnerable i386: vulnerable ARM: vulnerable Functions Affected: lzo1x_decompress_safe lzo1y_decompress_safe lzo1z_decompress_safe Criticality Reasoning --------------------- Despite the likelihood that this vulnerability will result in a simple denial of service, there is a strong possibility that memory corruption can result in remote code execution. If the LZO decompression algorithm is used in a threaded or kernel context, it may be possible to corrupt memory structures that control the flow of execution in other contexts. When the executive switches context, control of a secondary thread or process may be obtained. This attack is highly specialized and requires a deep understanding of the target architecture to succeed. Therefore, it is possible, but impractical, to implement a RCE attack using this bug. Despite RCE being impractical, the criticality level must be defined as High because the vulnerable algorithm has been in use since approximately 1999. The set of affected systems is potentially large and unmanageable due to the period of time the vulnerable algorithm has been deployed. As a result, there may still be legacy systems in production that are vulnerable to RCE. Vulnerability Description ------------------------- An integer overflow may occur when processing any variant of a "literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes. This exposes the code that copies literals to memory corruption. It should be noted that if the target is 64bit liblzo2, the overflow is still possible, but impractical. An overflow would require so much input data that an attack would be infeasible even in modern computers. Vulnerability Resolution ------------------------ A patch is in development.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-07-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58008
Affected packages: SLE-10-SP3-TERADATA: lzo SLE-11-SP3: lzo SLE-9-SP3-TERADATA: lzo
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (883947) was mentioned in https://build.opensuse.org/request/show/239295 Factory / lzo https://build.opensuse.org/request/show/239298 13.1+12.3 / lzo
Update released for: liblzo2-2, lzo, lzo-debuginfo, lzo-debugsource, lzo-devel Products: SLE-DEBUGINFO 11-SP1-TERADATA (x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: lzo, lzo-devel Products: SUSE-CORE 9-SP3-TERADATA (x86_64)
Update released for: lzo-devel Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: liblzo2-2, liblzo2-2-32bit, liblzo2-2-64bit, liblzo2-2-x86, lzo, lzo-debuginfo, lzo-debugsource, lzo-devel, lzo-devel-32bit, lzo-devel-64bit Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
SUSE-SU-2014:0904-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 883947 CVE References: CVE-2014-4607 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): lzo-2.03-12.3.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): lzo-2.03-12.3.1 SUSE Linux Enterprise Server 11 SP3 (src): lzo-2.03-12.3.1 SUSE Linux Enterprise Desktop 11 SP3 (src): lzo-2.03-12.3.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-07-24. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58336
we reviewed this and will schedule LTSS update for this, as this is likely exploitable and as a library it is hard to say what services use it. openvpn for instance uses lzo, although I have not checked in which scenarios.
openSUSE-SU-2014:0922-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 883947 CVE References: Sources used: openSUSE 13.1 (src): lzo-2.06-12.4.1 openSUSE 12.3 (src): lzo-2.06-9.4.1
SUSE-SU-2014:0955-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 883947 CVE References: CVE-2014-4607 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): lzo-2.03-12.3.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): lzo-2.03-12.3.1 SUSE Linux Enterprise Server 10 SP4 LTSS (src): lzo-2.02-12.10.1 SUSE Linux Enterprise Server 10 SP3 LTSS (src): lzo-2.02-12.10.1
released