Oberhumer LZO Multiple Memory Corruption Vulnerabilities (CVE-2014-4607)

Oberhumer LZO Multiple Memory Corruption Vulnerabilities (CVE-2014-4607)

Release date:
Updated on:

Affected Systems:
Oberhumer LZO
Description:
--------------------------------------------------------------------------------
Bugtraq id: 68213
CVE (CAN) ID: CVE-2014-4607
 
Oberhumer LZO is a real-time data compression library.
 
The implementation of Oberhumer LZO has the integer overflow vulnerability, which can cause memory corruption. Attackers can exploit this vulnerability to cause affected applications to reject services.
 
Note: Oberhumer LZO is an efficient and well-structured compression algorithm designed by Markus Oberhumer in 1994. Its source code is open source and multiple software/projects (such as OpenVPN, MPlayer2, Libav, FFmpeg, the Linux kernel, and Juniper Junos) Reuse the Code. These software/projects may also be affected by this vulnerability, some software features (Libav/FFmpeg and Libav/FFmpeg-based projects) allow attackers to exploit this vulnerability to gain code execution opportunities.
 
For more details, see the description by vulnerability discoverer Don A. Bailey.
 
<* Source: Don A. Bailey

Link: http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
Oberhumer
---------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
 
Http://www.oberhumer.com/opensource/lzo/download/lzo-2.07.tar.gz

This article permanently updates the link address: