Out-of-bounds Read in lzo2

Do your applications use this vulnerable package? Test your applications

Overview

The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in lrzip 0.631, allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted archive.

References

Debian Security Tracker
GENTOO
GitHub Issue
Ubuntu CVE Tracker
https://blogs.gentoo.org/ago/2017/05/07/lrzip-invalid-memory-read-in-lzo_decompress_buf-stream-c/

Attack Vector

Local
Attack Complexity

Low
Privileges Required

None
User Interaction

Required
Scope

Unchanged
Confidentiality

None
Integrity

None
Availability

High

CVE: CVE-2017-8845
CWE: CWE-125
Snyk ID: SNYK-UBUNTU1804-LZO2-275946
Disclosed: 08 May, 2017
Published: 08 May, 2017

Out-of-bounds Read
Affecting lzo2 package, versions *

Overview

References

CVSS Score

Out-of-bounds Read Affecting lzo2 package, versions *

Overview

References

Out-of-bounds Read
Affecting lzo2 package, versions *