Vulnerability Details : CVE-2014-4608
** DISPUTED ** Multiple integer overflows in the lzo1x_decompress_safe function in lib/lzo/lzo1x_decompress_safe.c in the LZO decompressor in the Linux kernel before 3.15.2 allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Literal Run. NOTE: the author of the LZO algorithms says "the Linux kernel is *not* affected; media hype."
Vulnerability category: OverflowMemory CorruptionDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2014-4608
Probability of exploitation activity in the next 30 days: 1.11%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 84 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-4608
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-4608
-
The product performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-4608
-
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00010.html
[security-announce] SUSE-SU-2015:0481-1: important: Security update forMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2417-1
USN-2417-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00025.html
[security-announce] openSUSE-SU-2015:0566-1: important: kernel update foMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2420-1
USN-2420-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.securityfocus.com/bid/68214
Linux Kernel LZO Implementation 'lzo1x_decompress_safe.c' Memory Corruption VulnerabilityThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1113899
1113899 – (CVE-2014-4608) CVE-2014-4608 kernel: lzo1x_decompress_safe() integer overflowIssue Tracking;Third Party Advisory
-
https://github.com/torvalds/linux/commit/206a81c18401c0cde6e579164f752c4b147324ce
lzo: properly check for overruns · torvalds/linux@206a81c · GitHubPatch;Third Party Advisory
-
http://www.oberhumer.com/opensource/lzo/
oberhumer.com: LZO real-time data compression libraryThird Party Advisory
-
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.15.2
Release Notes;Vendor Advisory
-
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=206a81c18401c0cde6e579164f752c4b147324ce
kernel/git/torvalds/linux.git - Linux kernel source treePatch;Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0062.html
RHSA-2015:0062 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2418-1
USN-2418-1: Linux kernel (OMAP4) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00015.html
[security-announce] SUSE-SU-2015:0736-1: important: Security update forMailing List;Third Party Advisory
-
http://www.ubuntu.com/usn/USN-2416-1
USN-2416-1: Linux kernel (EC2) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.securitymouse.com/lms-2014-06-16-2
Origin DNS error | www.securitymouse.com | CloudflareBroken Link
-
http://www.ubuntu.com/usn/USN-2419-1
USN-2419-1: Linux kernel (Trusty HWE) vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.ubuntu.com/usn/USN-2421-1
USN-2421-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2014/06/26/21
oss-security - LMS-2014-06-16-2: Linux Kernel LZOMailing List;Third Party Advisory
-
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html
The Mouse Trap: Raising Lazarus - The 20 Year Old Bug that Went to MarsThird Party Advisory
Products affected by CVE-2014-4608
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:suse:linux_enterprise_server:11:sp2:*:*:ltss:*:*:*
- cpe:2.3:o:suse:linux_enterprise_real_time_extension:11:sp3:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*