Vulnerability [CVE-2014-4608] recurs in Linux 3.17.2-4.5

Vulnerability [CVE-2014-4608] recurs in Linux 3.17.2-4.5

[刘长鸣]

Dear Sir/Madam:
    I'm a postgraduate student majoring in information security and
I'm very interested in software vulnerabilities, I think it's really
fascinating and I'm doing some research about how to find
vulnerabilities automatically. I have done some tests with Linux bug
commits. And  I found that the patch codes ( fixing CVE-2014-4608 )
didn't appear in the version 3.17.2 to 4.5. I'm just wondering if this
means the vulnerability ( CVE-2014-4608 ) recurs in Linux 3.17.2-4.5.
If not, is it fixed in another way?
    Thanks for your time, I'll appreciate it very much if you can give
an answer.

p.s. here is the link to CVE-2014-4608 report
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206a81c18401c0cde6e579164f752c4b147324ce

Best regards

ZhiJun DENG
Cluster and Grid Computing Laboratory
HuaZhong University Of Science And Technology
1037 Luoyu Road,Wuhan,430074,China
Tel:+86 - 15527287870

Email：506012274@qq.com

Re: Vulnerability [CVE-2014-4608] recurs in Linux 3.17.2-4.5

[Hanjun Guo]

Hi Zhijun,

On 2016/5/31 14:45, 刘长鸣 wrote:
> Dear Sir/Madam:
>     I'm a postgraduate student majoring in information security and
> I'm very interested in software vulnerabilities, I think it's really
> fascinating and I'm doing some research about how to find
> vulnerabilities automatically. I have done some tests with Linux bug
> commits. And  I found that the patch codes ( fixing CVE-2014-4608 )
> didn't appear in the version 3.17.2 to 4.5. I'm just wondering if this

Yes, it should not in those stable versions, as the commit 206a81c
(lzo: properly check for overruns) is not the right fix, it was reverted
in commit af958a38a:

commit af958a38a60c7ca3d8a39c918c1baa2ff7b6b233
Author: Willy Tarreau <w@1wt.eu>
Date:   Sat Sep 27 12:31:36 2014 +0200

    Revert "lzo: properly check for overruns"
   
    This reverts commit 206a81c ("lzo: properly check for overruns").
   
    As analysed by Willem Pinckaers, this fix is still incomplete on
    certain rare corner cases, and it is easier to restart from the
    original code.
   
    Reported-by: Willem Pinckaers <willem@lekkertech.net>
    Cc: "Don A. Bailey" <donb@securitymouse.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Willy Tarreau <w@1wt.eu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This revert is merged in v3.18-rc1, and I think there is a updated fix for this bug:

72cf901 lzo: check for length overrun in variable length encoding.

> means the vulnerability ( CVE-2014-4608 ) recurs in Linux 3.17.2-4.5.
> If not, is it fixed in another way?
>     Thanks for your time, I'll appreciate it very much if you can give
> an answer.

Just as I mentioned above, commit 72cf901 should be the right fix.

Thanks
Hanjun

Vulnerability [CVE-2014-4608] recurs in Linux 3.17.2-4.5

[刘长鸣]

Dear Sir/Madam:
    I'm a postgraduate student majoring in information security and
I'm very interested in software vulnerabilities, I think it's really
fascinating and I'm doing some research about how to find
vulnerabilities automatically. I have done some tests with Linux bug
commits. And  I found that the patch codes ( fixing CVE-2014-4608 )
didn't appear in the version 3.17.2 to 4.5. I'm just wondering if this
means the vulnerability ( CVE-2014-4608 ) recurs in Linux 3.17.2-4.5.
If not, is it fixed in another way?
    Thanks for your time, I'll appreciate it very much if you can give
an answer.

p.s. here is the link to CVE-2014-4608 report
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206a81c18401c0cde6e579164f752c4b147324ce

Best regards

ZhiJun DENG
Cluster and Grid Computing Laboratory
HuaZhong University Of Science And Technology
1037 Luoyu Road,Wuhan,430074,China
Tel:+86 - 15527287870

Email：506012274@qq.com

Re: Vulnerability [CVE-2014-4608] recurs in Linux 3.17.2-4.5

[Hillf Danton]

> 
> Dear Sir/Madam:
>     I'm a postgraduate student majoring in information security and
> I'm very interested in software vulnerabilities, I think it's really
> fascinating and I'm doing some research about how to find
> vulnerabilities automatically. I have done some tests with Linux bug
> commits. And  I found that the patch codes ( fixing CVE-2014-4608 )
> didn't appear in the version 3.17.2 to 4.5. I'm just wondering if this
> means the vulnerability ( CVE-2014-4608 ) recurs in Linux 3.17.2-4.5.
> If not, is it fixed in another way?
>     Thanks for your time, I'll appreciate it very much if you can give
> an answer.
> 
> p.s. here is the link to CVE-2014-4608 report
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206a81c18401 \
> c0cde6e579164f752c4b147324ce
> 
> Best regards
> 
> ZhiJun DENG
> Cluster and Grid Computing Laboratory
> HuaZhong University Of Science And Technology
> 1037 Luoyu Road,Wuhan,430074,China
> Tel:+86 - 15527287870
> 
> Email锛�506012274@qq.com
> 
Hi ZhiJun DENG

In linux-4.7-rc1 the log says,
1,	206a81c18401 ("lzo: properly check for overruns") was reverted by
	af958a38a60c ("Revert "lzo: properly check for overruns"")

2, then it was fixed in 
	72cf90124e8 ("lzo: check for length overrun in variable length encoding.")

btw, please send email in pure text to LKML.

Hillf