Re: Vulnerability [CVE-2014-4608] recurs in Linux 3.17.2-4.5
From: Hillf Danton
Date: Tue May 31 2016 - 04:17:00 EST
>
> Dear Sir/Madam:
> I'm a postgraduate student majoring in information security and
> I'm very interested in software vulnerabilities, I think it's really
> fascinating and I'm doing some research about how to find
> vulnerabilities automatically. I have done some tests with Linux bug
> commits. And I found that the patch codes ( fixing CVE-2014-4608 )
> didn't appear in the version 3.17.2 to 4.5. I'm just wondering if this
> means the vulnerability ( CVE-2014-4608 ) recurs in Linux 3.17.2-4.5.
> If not, is it fixed in another way?
> Thanks for your time, I'll appreciate it very much if you can give
> an answer.
>
> p.s. here is the link to CVE-2014-4608 report
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=206a81c18401 \
> c0cde6e579164f752c4b147324ce
>
> Best regards
>
> ZhiJun DENG
> Cluster and Grid Computing Laboratory
> HuaZhong University Of Science And Technology
> 1037 Luoyu Road,Wuhan,430074,China
> Tel:+86 - 15527287870
>
> Emailéï506012274@xxxxxx
>
Hi ZhiJun DENG
In linux-4.7-rc1 the log says,
1, 206a81c18401 ("lzo: properly check for overruns") was reverted by
af958a38a60c ("Revert "lzo: properly check for overruns"")
2, then it was fixed in
72cf90124e8 ("lzo: check for length overrun in variable length encoding.")
btw, please send email in pure text to LKML.
Hillf