[Secure-testing-commits] r51834 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Mon May 22 14:52:49 UTC 2017
Author: carnil
Date: 2017-05-22 14:52:49 +0000 (Mon, 22 May 2017)
New Revision: 51834
Modified:
data/CVE/list
Log:
Update information for CVE-2017-8845 (lzo -> lrzip)
Further analysis shows that the issue is located in lrzip and not lzo2,
so resolve the TODO and mark the correct source package. Although the
CVE desciription states lzo2 ... as used in ... lrzip, the problematic
function "lzo_decompress_buf" is from lrzip and the issue will/should be
fixed there.
Change the source package to lrzip.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-05-22 14:10:47 UTC (rev 51833)
+++ data/CVE/list 2017-05-22 14:52:49 UTC (rev 51834)
@@ -766,10 +766,9 @@
NOTE: https://github.com/ckolivas/lrzip/issues/71
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/
CVE-2017-8845 (The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in ...)
- - lzo2 <unfixed>
+ - lrzip <unfixed>
NOTE: https://github.com/ckolivas/lrzip/issues/68
NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-invalid-memory-read-in-lzo_decompress_buf-stream-c/
- TODO: check if issue to be addressed via lrzip
CVE-2017-8844 (The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows ...)
- lrzip <unfixed>
NOTE: https://github.com/ckolivas/lrzip/issues/70
More information about the Secure-testing-commits
mailing list