Your submission was sent successfully! Close

CVE-2014-4607

Published: 09 July 2014

Integer overflow in the LZO algorithm variant in Oberhumer liblzo2 and lzo-2 before 2.07 on 32-bit platforms might allow remote attackers to execute arbitrary code via a crafted Literal Run.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
grub2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri)
Released (2.04-1ubuntu37)
Ubuntu 21.04 (Hirsute Hippo)
Released (2.04-1ubuntu37)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.04-1ubuntu26.8)
Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Patches:
Upstream: https://github.com/rhboot/grub2/commit/934e762c46d118b52d8e6a4817c3bca751cb2eeb
Upstream: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3165efcfc24dab1cad5a5c2f5e7578bd876e6b52
grub2-signed
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri)
Released (1.157)
Ubuntu 21.04 (Hirsute Hippo)
Released (1.157)
Ubuntu 20.04 LTS (Focal Fossa)
Released (1.142.10)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

krfb
Launchpad, Ubuntu, Debian
Upstream
Released (4.14)
Ubuntu 21.10 (Impish Indri)
Released (4:4.13.97-0ubuntu2)
Ubuntu 21.04 (Hirsute Hippo)
Released (4:4.13.97-0ubuntu2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (4:4.13.97-0ubuntu2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (4:4.13.97-0ubuntu2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (4:4.13.97-0ubuntu2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [4:4.13.0-0ubuntu1.1])
lzo2
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri)
Released (2.06-1.2ubuntu2)
Ubuntu 21.04 (Hirsute Hippo)
Released (2.06-1.2ubuntu2)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.06-1.2ubuntu2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.06-1.2ubuntu2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.06-1.2ubuntu2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.06-1.2ubuntu1.1)

Notes

AuthorNote
amurray
grub2 has a vendored copy of minilzo which is part of lzo2 so likely any vulnerabilities that affect lzo2 may also affect minilzo in grub2 and hence grub2-signed
mdeslaur
grub2 since bug 1911440 now pulls in the system lzo2 when
building, so focal+ is fixed
grub2-signed on bionic now ships the grub binary built on a
later release, so it is not vulnerable to this CVE

References

Bugs