CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
83.8%
CentOS Errata and Security Advisory CESA-2014:0861
LZO is a portable lossless data compression library written in ANSI C.
An integer overflow flaw was found in the way the lzo library decompressed
certain archives compressed with the LZO algorithm. An attacker could
create a specially crafted LZO-compressed input that, when decompressed by
an application using the lzo library, would cause that application to crash
or, potentially, execute arbitrary code. (CVE-2014-4607)
Red Hat would like to thank Don A. Bailey from Lab Mouse Security for
reporting this issue.
All lzo users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. For the update to take
effect, all services linked to the lzo library must be restarted or the
system rebooted.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2014-July/082563.html
https://lists.centos.org/pipermail/centos-announce/2014-July/082568.html
Affected packages:
lzo
lzo-devel
lzo-minilzo
Upstream details at:
https://access.redhat.com/errata/RHSA-2014:0861
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
CentOS | 6 | i686 | lzo | < 2.03-3.1.el6_5.1 | lzo-2.03-3.1.el6_5.1.i686.rpm |
CentOS | 6 | i686 | lzo-devel | < 2.03-3.1.el6_5.1 | lzo-devel-2.03-3.1.el6_5.1.i686.rpm |
CentOS | 6 | i686 | lzo-minilzo | < 2.03-3.1.el6_5.1 | lzo-minilzo-2.03-3.1.el6_5.1.i686.rpm |
CentOS | 6 | i686 | lzo | < 2.03-3.1.el6_5.1 | lzo-2.03-3.1.el6_5.1.i686.rpm |
CentOS | 6 | x86_64 | lzo | < 2.03-3.1.el6_5.1 | lzo-2.03-3.1.el6_5.1.x86_64.rpm |
CentOS | 6 | i686 | lzo-devel | < 2.03-3.1.el6_5.1 | lzo-devel-2.03-3.1.el6_5.1.i686.rpm |
CentOS | 6 | x86_64 | lzo-devel | < 2.03-3.1.el6_5.1 | lzo-devel-2.03-3.1.el6_5.1.x86_64.rpm |
CentOS | 6 | i686 | lzo-minilzo | < 2.03-3.1.el6_5.1 | lzo-minilzo-2.03-3.1.el6_5.1.i686.rpm |
CentOS | 6 | x86_64 | lzo-minilzo | < 2.03-3.1.el6_5.1 | lzo-minilzo-2.03-3.1.el6_5.1.x86_64.rpm |
CentOS | 7 | i686 | lzo | < 2.06-6.el7_0.2 | lzo-2.06-6.el7_0.2.i686.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
83.8%