Debian Security Advisory DSA 2995-1 (lzo2 - security update)

Debian Security Advisory DSA 2995-1: lzo2 security update. Integer overflow flaw discovered in lzo library decompression, allowing for application crashes or potential code execution. Upgrade recommended

Reporter	Title	Published	Views	Family All 186
IBM Security Bulletins	Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in busybox, arpwatch, apr, acpid, augeas, firefox, ctdb.	15 Dec 202107:41	–	ibm
IBM Security Bulletins	IBM Security Network Protection / IBM QRadar Network Security / XGS Technote Index	31 Jan 202100:10	–	ibm
IBM Security Bulletins	Security Bulletin: A busybox vulnerability affects IBM DataPower Gateways (CVE-2014-4607)	15 Jun 201807:06	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in busybox affect IBM Security Network Protection (CVE-2014-4607, and CVE-2014-9645 )	16 Jun 201821:46	–	ibm
Amazon	Medium: lzo	9 Jul 201400:00	–	amazon
Tenable Nessus	Amazon Linux AMI : lzo (ALAS-2014-373)	12 Oct 201400:00	–	nessus
Tenable Nessus	CentOS 6 / 7 : lzo (CESA-2014:0861)	10 Jul 201400:00	–	nessus
Tenable Nessus	Debian DLA-2559-1 : busybox security update	16 Feb 202100:00	–	nessus
Tenable Nessus	Debian DLA-35-1 : lzo2 security update	26 Mar 201500:00	–	nessus
Tenable Nessus	Debian DSA-2995-1 : lzo2 - security update	4 Aug 201400:00	–	nessus

Source	Link
debian	www.debian.org/security/2014/dsa-2995.html

# OpenVAS Vulnerability Test
# $Id: deb_2995.nasl 6715 2017-07-13 09:57:40Z teissa $
# Auto-generated from advisory DSA 2995-1 using nvtgen 1.0
# Script version: 1.0
#
# Author:
# Greenbone Networks
#
# Copyright:
# Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net
# Text descriptions are largely excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_affected  = "lzo2 on Debian Linux";
tag_solution  = "For the stable distribution (wheezy), this problem has been fixed in
version 2.06-1+deb7u1.

For the testing distribution (jessie), this problem has been fixed in
version 2.08-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.08-1.

We recommend that you upgrade your lzo2 packages.";
tag_summary   = "Don A. Bailey from Lab Mouse Security discovered an integer overflow
flaw in the way the lzo library decompressed certain archives compressed
with the LZO algorithm. An attacker could create a specially crafted
LZO-compressed input that, when decompressed by an application using the
lzo library, would cause that application to crash or, potentially,
execute arbitrary code.";
tag_vuldetect = "This check tests the installed software version using the apt package manager.";

if(description)
{
    script_id(702995);
    script_version("$Revision: 6715 $");
    script_cve_id("CVE-2014-4607");
    script_name("Debian Security Advisory DSA 2995-1 (lzo2 - security update)");
    script_tag(name: "last_modification", value:"$Date: 2017-07-13 11:57:40 +0200 (Thu, 13 Jul 2017) $");
    script_tag(name: "creation_date", value:"2014-08-03 00:00:00 +0200 (Sun, 03 Aug 2014)");
    script_tag(name: "cvss_base", value:"10.0");
    script_tag(name: "cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");

    script_xref(name: "URL", value: "http://www.debian.org/security/2014/dsa-2995.html");


    script_category(ACT_GATHER_INFO);

    script_copyright("Copyright (c) 2014 Greenbone Networks GmbH http://greenbone.net");
    script_family("Debian Local Security Checks");
    script_dependencies("gather-package-list.nasl");
    script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages");
    script_tag(name: "affected",  value: tag_affected);
#    script_tag(name: "impact",    value: tag_impact);
    script_tag(name: "solution",  value: tag_solution);
    script_tag(name: "summary",   value: tag_summary);
    script_tag(name: "vuldetect", value: tag_vuldetect);
    script_tag(name:"qod_type", value:"package");
    script_tag(name:"solution_type", value:"VendorFix");

    exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-deb.inc");

res = "";
report = "";
if ((res = isdpkgvuln(pkg:"liblzo2-2", ver:"2.06-1+deb7u1", rls:"DEB7.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"liblzo2-dev", ver:"2.06-1+deb7u1", rls:"DEB7.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"liblzo2-2", ver:"2.06-1+deb7u1", rls:"DEB7.1")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"liblzo2-dev", ver:"2.06-1+deb7u1", rls:"DEB7.1")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"liblzo2-2", ver:"2.06-1+deb7u1", rls:"DEB7.2")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"liblzo2-dev", ver:"2.06-1+deb7u1", rls:"DEB7.2")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"liblzo2-2", ver:"2.06-1+deb7u1", rls:"DEB7.3")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"liblzo2-dev", ver:"2.06-1+deb7u1", rls:"DEB7.3")) != NULL) {
    report += res;
}

if (report != "") {
    security_message(data:report);
} else if (__pkg_match) {
    exit(99); # Not vulnerable.
}

13 Jul 2017 00:00Current

9High risk

Vulners AI Score9

EPSS0.05315