Your submission was sent successfully! Close

CVE-2014-4607

Published: 9 July 2014

Integer overflow in the LZO algorithm variant in Oberhumer liblzo2 and lzo-2 before 2.07 on 32-bit platforms might allow remote attackers to execute arbitrary code via a crafted Literal Run.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
grub2
Launchpad, Ubuntu, Debian
bionic Needs triage

focal
Released (2.04-1ubuntu26.8)
groovy
Released (2.04-1ubuntu35.2)
hirsute
Released (2.04-1ubuntu37)
impish
Released (2.04-1ubuntu37)
jammy
Released (2.04-1ubuntu37)
precise Ignored
(end of ESM support, was needs-triage)
trusty Needs triage

upstream Needs triage

xenial Needs triage

Patches:
upstream: https://github.com/rhboot/grub2/commit/934e762c46d118b52d8e6a4817c3bca751cb2eeb
upstream: https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3165efcfc24dab1cad5a5c2f5e7578bd876e6b52
grub2-signed
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
focal
Released (1.142.10)
groovy
Released (1.155.2)
hirsute
Released (1.157)
impish
Released (1.157)
jammy
Released (1.157)
precise Does not exist

trusty Needs triage

upstream Needs triage

xenial Not vulnerable
(code not present)
krfb
Launchpad, Ubuntu, Debian
bionic
Released (4:4.13.97-0ubuntu2)
focal
Released (4:4.13.97-0ubuntu2)
groovy
Released (4:4.13.97-0ubuntu2)
hirsute
Released (4:4.13.97-0ubuntu2)
impish
Released (4:4.13.97-0ubuntu2)
jammy
Released (4:4.13.97-0ubuntu2)
lucid Does not exist

precise Does not exist

trusty Does not exist
(trusty was released [4:4.13.0-0ubuntu1.1])
upstream
Released (4.14)
xenial
Released (4:4.13.97-0ubuntu2)
lzo2
Launchpad, Ubuntu, Debian
bionic
Released (2.06-1.2ubuntu2)
focal
Released (2.06-1.2ubuntu2)
groovy
Released (2.06-1.2ubuntu2)
hirsute
Released (2.06-1.2ubuntu2)
impish
Released (2.06-1.2ubuntu2)
jammy
Released (2.06-1.2ubuntu2)
lucid Ignored
(reached end-of-life)
precise
Released (2.06-1ubuntu0.1)
saucy Ignored
(reached end-of-life)
trusty
Released (2.06-1.2ubuntu1.1)
upstream Needs triage

xenial
Released (2.06-1.2ubuntu2)

Notes

AuthorNote
amurray
grub2 has a vendored copy of minilzo which is part of lzo2 so likely any vulnerabilities that affect lzo2 may also affect minilzo in grub2 and hence grub2-signed
mdeslaur
grub2 since bug 1911440 now pulls in the system lzo2 when
building, so focal+ is fixed
grub2-signed on bionic now ships the grub binary built on a
later release, so it is not vulnerable to this CVE

References

Bugs