Andrew Cooper
2024-Oct-16 20:54 UTC
[Pkg-xen-devel] Bug#1085137: libxen: Libxen Includes Code Similar to LZO Decompressor with a Known CVE
On Tue, 15 Oct 2024 14:20:02 +0400 Mariam Arutunian <mariamarutunian at gmail.com> wrote:> Package: libxen > Version: 4.17.3 > Severity: normal > X-Debbugs-Cc: mariamarutunian at gmail.com > > Dear Maintainer, > A vulnerability identified as CVE-2014-4608 was discovered and fixedin LZO decompressor in the Linux kernel with the following commit: https://github.com/torvalds/linux/commit/206a81c18401c0cde6e579164f752c4b147324ce. Which amended the "lzo1x_decompress_safe" function located in lib/lzo/lzo1x_decompress_safe.c file.> Xen project contains a similar "lzo1x_decompress_safe" function in thexen/common/lzo.c file, which has not been fixed. Linux commit 206a81c18401 ("lzo: properly check for overruns") was reverted a month later in af958a38a60c ("Revert "lzo: properly check for overruns"") and then fixed differently in 72cf90124e87 ("lzo: check for length overrun in variable length encoding.") Xen mirrored that sequence with 504f70b62406, 092978f2ffcf and then 10a94ddbd2eb. ~Andrew
Possibly Parallel Threads
- Processed: reassign 1085137 to src:xen
- [linux-linus test] 16875: regressions - trouble: broken/fail/pass
- [PATCH 0/9] decompressor bug fixes and cleanups
- Re: Possible bug with kernel decompressor.
- libxen-dev, libxen-4.8: Potential upgrade path issues with regard to qemu