An integer overflow in LZO might allow remote attackers to execute arbitrary code or cause a Denial of Service condition.
|Package||dev-libs/lzo on all architectures|
|Affected versions||< 2.08|
|Unaffected versions||>= 2.08|
LZO is an extremely fast compression and decompression library
LZO is vulnerable to an integer overflow condition in the “lzo1x_decompress_safe” function which could result in a possible buffer overrun when processing maliciously crafted compressed input data.
A remote attacker could send specially crafted compressed input data possibly resulting in a Denial of Service condition or arbitrary code execution.
There is no known workaround at this time.
All LZO users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-libs/lzo-2.08"
January 02, 2017
January 02, 2017: 1