ACK/cmnt: [Lucid][CVE-2014-4608]PATCH 0/3] lzo: properly check for overruns

Stefan Bader stefan.bader at canonical.com
Mon Jun 30 09:10:30 UTC 2014 

On 27.06.2014 18:39, Luis Henriques wrote:
>  WARNING:
>  The buglink is missing in these patches!  Whoever is applying
>  the patches, please wait for the buglink to be provided!
> 
> Following this email I'm sending 3 patches that include the Lucid fix
> for this CVE.  I've used the same approach used by GregKH for the 3.4
> stable kernel backport, i.e., picked the following 3 commits:
> 
> b6bec26cea94 "lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c"
>  Backport: just dropped changes to lib/decompress_unlzo.c, which
>  doesn't exist in Lucid
> 
> 8b975bd3f908 "lib/lzo: Update LZO compression to current upstream version"
>  Trivial backport (context)
> 
> 206a81c18401 "lzo: properly check for overruns"
>  The actual CVE fix, a clean cherry-pick
> 
> Greg Kroah-Hartman (1):
>   lzo: properly check for overruns
> 
> Markus F.X.J. Oberhumer (2):
>   lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c
>   lib/lzo: Update LZO compression to current upstream version
> 
>  include/linux/lzo.h             |  15 +-
>  lib/lzo/Makefile                |   2 +-
>  lib/lzo/lzo1x_compress.c        | 335 +++++++++++++++++++++++-----------------
>  lib/lzo/lzo1x_decompress.c      | 252 ------------------------------
>  lib/lzo/lzo1x_decompress_safe.c | 255 ++++++++++++++++++++++++++++++
>  lib/lzo/lzodefs.h               |  38 +++--
>  6 files changed, 485 insertions(+), 412 deletions(-)
>  delete mode 100644 lib/lzo/lzo1x_decompress.c
>  create mode 100644 lib/lzo/lzo1x_decompress_safe.c
> 
As far as I can see, the changes for Lucid are not touching any critical parts.
So there should be no surprises between this and the other picks for pre-Saucy.
Which hopefully also will make any problems quickly visible...

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20140630/1ce76bd4/attachment.sig>

More information about the kernel-team mailing list