An integer overflow in LZO might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.
Package | dev-libs/lzo on all architectures |
---|---|
Affected versions | < 2.08 |
Unaffected versions | >= 2.08 |
LZO is an extremely fast compression and decompression library
LZO is vulnerable to an integer overflow condition in the “lzo1x_decompress_safe” function which could result in a possible buffer overrun when processing maliciously crafted compressed input data.
A remote attacker could send specially crafted compressed input data possibly resulting in a Denial of Service condition or arbitrary code execution.
There is no known workaround at this time.
All LZO users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/lzo-2.08"
Release date
January 02, 2017
Latest revision
January 02, 2017: 1
Severity
normal
Exploitable
remote
Bugzilla entries