FreeBSD : LZO -- potential buffer overrun when processing malicious input data (d1f5e12a-fd5a-11e3-a108-080027ef73ec)

Medium Nessus Plugin ID 76269


The remote FreeBSD host is missing one or more security-related updates.


Markus Franz Xaver Johannes Oberhumer reports, in the package's NEWS file :

Fixed a potential integer overflow condition in the 'safe' decompressor variants which could result in a possible buffer overrun when processing maliciously crafted compressed input data.

As this issue only affects 32-bit systems and also can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (2^24 bytes) compressed bytes within a single function call, the practical implications are limited.


Update the affected packages.

See Also

Plugin Details

Severity: Medium

ID: 76269

File Name: freebsd_pkg_d1f5e12afd5a11e3a108080027ef73ec.nasl

Version: $Revision: 1.2 $

Type: local

Published: 2014/06/27

Modified: 2015/01/07

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:busybox, p-cpe:/a:freebsd:freebsd:lzo2, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2014/06/26

Vulnerability Publication Date: 2014/06/25

Reference Information

CVE: CVE-2014-4608