[Pkg-xen-devel] Bug#1085137: libxen: Libxen Includes Code Similar to LZO Decompressor with a Known CVE

Andrew Cooper andrew.cooper3 at citrix.com
Wed Oct 16 21:54:54 BST 2024


On Tue, 15 Oct 2024 14:20:02 +0400 Mariam Arutunian
<mariamarutunian at gmail.com> wrote:
> Package: libxen
> Version: 4.17.3
> Severity: normal
> X-Debbugs-Cc: mariamarutunian at gmail.com
>
> Dear Maintainer,
> A vulnerability identified as CVE-2014-4608 was discovered and fixed
in LZO decompressor in the Linux kernel with the following commit:
https://github.com/torvalds/linux/commit/206a81c18401c0cde6e579164f752c4b147324ce.
Which amended the "lzo1x_decompress_safe" function located in
lib/lzo/lzo1x_decompress_safe.c file.
> Xen project contains a similar "lzo1x_decompress_safe" function in the
xen/common/lzo.c file, which has not been fixed.

Linux commit 206a81c18401 ("lzo: properly check for overruns") was
reverted a month later in af958a38a60c ("Revert "lzo: properly check for
overruns"") and then fixed differently in 72cf90124e87 ("lzo: check for
length overrun in variable length encoding.")

Xen mirrored that sequence with 504f70b62406, 092978f2ffcf and then
10a94ddbd2eb.

~Andrew



More information about the Pkg-xen-devel mailing list