[Lucid][CVE-2014-4608]PATCH 0/3] lzo: properly check for overruns
Luis Henriques
luis.henriques at canonical.com
Fri Jun 27 16:39:01 UTC 2014
WARNING:
The buglink is missing in these patches! Whoever is applying
the patches, please wait for the buglink to be provided!
Following this email I'm sending 3 patches that include the Lucid fix
for this CVE. I've used the same approach used by GregKH for the 3.4
stable kernel backport, i.e., picked the following 3 commits:
b6bec26cea94 "lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c"
Backport: just dropped changes to lib/decompress_unlzo.c, which
doesn't exist in Lucid
8b975bd3f908 "lib/lzo: Update LZO compression to current upstream version"
Trivial backport (context)
206a81c18401 "lzo: properly check for overruns"
The actual CVE fix, a clean cherry-pick
Greg Kroah-Hartman (1):
lzo: properly check for overruns
Markus F.X.J. Oberhumer (2):
lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c
lib/lzo: Update LZO compression to current upstream version
include/linux/lzo.h | 15 +-
lib/lzo/Makefile | 2 +-
lib/lzo/lzo1x_compress.c | 335 +++++++++++++++++++++++-----------------
lib/lzo/lzo1x_decompress.c | 252 ------------------------------
lib/lzo/lzo1x_decompress_safe.c | 255 ++++++++++++++++++++++++++++++
lib/lzo/lzodefs.h | 38 +++--
6 files changed, 485 insertions(+), 412 deletions(-)
delete mode 100644 lib/lzo/lzo1x_decompress.c
create mode 100644 lib/lzo/lzo1x_decompress_safe.c
--
1.9.1
More information about the kernel-team
mailing list