[security-announce] busybox: Security update

Sona Sarmadi sona.sarmadi at enea.com
Tue Jun 2 07:16:36 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

	Enea Linux Security Advisory

=========================================================
Product/package: busybox 1.22.1 (lzo)
Severity: Moderate
CVE Name: CVE-2014-4607 lzo1x_decompress_safe() integer overflow
=========================================================
This security update fixes lzo1x_decompress_safe() integer overflow.

The patch and README files are gpg signed by ESRT (Enea Security
Response Team) for verification of origin.
To verify the integrity of patches download the ESRT public Key from:
https://pgp.mit.edu/pks/lookup?op=vindex&search=0x773EF6EF68716A14

For detailed info refer to
https://linux.enea.com/5.0-beta-m400/patche/patches/README.asc

Signed patch and README files
=============================
0015-busybox-lzo-CVE-2014-4607.README.asc
0015-busybox-lzo-CVE-2014-4607.patch.asc

Description
===========
A critical subtle integer overflow vulnerability has been detected
in Lempel-Ziv-Oberhumer (LZO), an extremely efficient data compression
algorithm that focuses on decompression speed, which is almost five
times faster than zlib and bzip compression algorithms.

The description of this vulnerability in the mitre is reserved.

References:
==========
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4607
http://www.openwall.com/lists/oss-security/2014/06/26/20

How to apply the patches
=======================
 - Preparation
Make sure that you have an installation of Enea Linux and have
applied the existing patches in the right order

wget http://linux.enea.com/5.0-beta-m400/Enea-Linux-5.0-beta-m400.tar.gz
tar zxvf Enea-Linux-5.0-beta-m400.tar.gz
<Fetch and apply the existing patches, please refer to
    README file for the individual patch>

 - Fetch and apply the new patch
cd Enea-Linux-5.0-beta-m400/poky
wget
http://linux.enea.com/5.0-beta-m400/patches/0015-busybox-lzo-CVE-2014-46
07.patch.asc
patch -p1 < ./0015-busybox-lzo-CVE-2014-4607.patch.asc

If you have any questions regarding the security patches and security
updates please contact security at enea.com.

Enea Security Team
Sona Sarmadi
Mobile: +46 70 971 4475
www.enea.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVbTw0AAoJEHc+9u9ocWoUy+EP/jO44RnqZPgUFUL1KrqfdAtI
zfv7YaOJrLA2sdBRyR+G7BdfE5npsLyJSeCLoCNKtRlKr5azppvSt56r3NHJVf7U
6ucRM0fUbu/JcfjbSNDMRqrCN7l+4HJNdSs2FX8QoyQBnOsXLUepmrrapYsQTINU
vMhymcUiXa2RsewiSEhcDN3dS2MX+E+lsjKYYKC2Wpv1EA/IHFpao3DBp7WiOiqT
4ku5A/3UdNOW1TVcqlzazXqd94TO3kCnDyzP+aBGcmk5pSVm/mpl6MBQQZsiV3HB
JMT+aE01eUGqic/FBm1B2OtHB2q0nzfgVDPNHSIeHqMTWjOLP4kdrQX7233i4iZE
KLL3sXq5aOp1wTwtlnfCU23bnX+L2EW67yehPlpxdbNWlq8i1uHxeYZYTWpRuMQE
Gw3QCpRUkdfr4oZP4eGHBAeJywC1GivNr0KvexYw2IcNOPFOqF1ELRTPvW1jaHQa
EYlPB41nyBHVoh/zom5OAnMX7jpt04O5PWGkPeZZ3XaOZNe0lynI/+l3bHprki+7
ML30psGdqLQud3L3RhWHQpGKxlZqn6h5hlRvODIywbIflUy3XaYkaNWcW+PlEeJ5
SFa1t4kyUwh1WuYQyf9m8K7sgEXW7G6n4UoNd9jJ9BfAkxItaCvhsKyEMxwXONvK
AKVsndZFCudwuKhcPsCx
=AIjd
-----END PGP SIGNATURE-----


More information about the security-announce mailing list