Package: src:lzo2 Version: 2.03-2 Severity: important Tags: security >From http://www.oberhumer.com/opensource/lzo/:
|LZO 2.07 has been released: | |Fixed a potential integer overflow condition in the "safe" decompressor |variants which could result in a possible buffer overrun when processing |maliciously crafted compressed input data. | |As this issue only affects 32-bit systems and also can only happen if |you use uncommonly huge buffer sizes where you have to decompress more |than 16 MiB (2^24 bytes) compressed bytes within a single function call |the practical implications are limited. | |POTENTIAL SECURITY ISSUE. But then, I personally do not know about any |client program that actually is affected. I used the version from oldstable because it seems that all version of liblzo2 are affected. http://www.openwall.com/lists/oss-security/2014/06/26/20 Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
