Ack: [Lucid][CVE-2014-4608]PATCH 0/3] lzo: properly check for overruns
Brad Figg
brad.figg at canonical.com
Fri Jun 27 16:49:04 UTC 2014
On 06/27/2014 09:39 AM, Luis Henriques wrote:
> WARNING:
> The buglink is missing in these patches! Whoever is applying
> the patches, please wait for the buglink to be provided!
>
> Following this email I'm sending 3 patches that include the Lucid fix
> for this CVE. I've used the same approach used by GregKH for the 3.4
> stable kernel backport, i.e., picked the following 3 commits:
>
> b6bec26cea94 "lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c"
> Backport: just dropped changes to lib/decompress_unlzo.c, which
> doesn't exist in Lucid
>
> 8b975bd3f908 "lib/lzo: Update LZO compression to current upstream version"
> Trivial backport (context)
>
> 206a81c18401 "lzo: properly check for overruns"
> The actual CVE fix, a clean cherry-pick
>
> Greg Kroah-Hartman (1):
> lzo: properly check for overruns
>
> Markus F.X.J. Oberhumer (2):
> lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c
> lib/lzo: Update LZO compression to current upstream version
>
> include/linux/lzo.h | 15 +-
> lib/lzo/Makefile | 2 +-
> lib/lzo/lzo1x_compress.c | 335 +++++++++++++++++++++++-----------------
> lib/lzo/lzo1x_decompress.c | 252 ------------------------------
> lib/lzo/lzo1x_decompress_safe.c | 255 ++++++++++++++++++++++++++++++
> lib/lzo/lzodefs.h | 38 +++--
> 6 files changed, 485 insertions(+), 412 deletions(-)
> delete mode 100644 lib/lzo/lzo1x_decompress.c
> create mode 100644 lib/lzo/lzo1x_decompress_safe.c
>
--
Brad Figg brad.figg at canonical.com http://www.canonical.com
More information about the kernel-team
mailing list