Hello community, here is the log from the commit of package lzo for openSUSE:Factory checked in at 2014-07-10 08:16:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/lzo (Old) and /work/SRC/openSUSE:Factory/.lzo.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "lzo" Changes: -------- --- /work/SRC/openSUSE:Factory/lzo/lzo.changes 2013-04-17 23:06:38.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.lzo.new/lzo.changes 2014-07-10 08:16:56.000000000 +0200 @@ -1,0 +2,27 @@ +Wed Jul 2 11:35:21 UTC 2014 - mrueckert@suse.de + +- update to 2.08 (bnc#883947) CVE-2014-4607 + - Updated the Autoconf scripts to fix some reported build + problems. + - Added CMake build support. + - Fixed lzo_init() on big-endian architectures like Sparc. +- additional changes in 2.07 + * Fixed a potential integer overflow condition in the "safe" + decompressor variants which could result in a possible buffer + overrun when processing maliciously crafted compressed input + data. + + Fortunately this issue only affects 32-bit systems and also can + only happen if you use uncommonly huge buffer sizes where you + have to decompress more than 16 MiB (> 2^24 bytes) untrusted + compressed bytes within a single function call, so the + practical implications are limited. + + POTENTIAL SECURITY ISSUE. CVE-2014-4607. + + * Removed support for ancient configurations like 16-bit "huge" + pointers - LZO now requires a flat 32-bit or 64-bit memory + model. + * Assorted cleanups. + +------------------------------------------------------------------- Old: ---- lzo-2.06.tar.gz New: ---- lzo-2.08.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ lzo.spec ++++++ --- /var/tmp/diff_new_pack.iJlWzD/_old 2014-07-10 08:16:57.000000000 +0200 +++ /var/tmp/diff_new_pack.iJlWzD/_new 2014-07-10 08:16:57.000000000 +0200 @@ -18,7 +18,7 @@ Name: lzo Url: http://www.oberhumer.com/opensource/lzo/ -Version: 2.06 +Version: 2.08 Release: 0 Source: http://www.oberhumer.com/opensource/%{name}/download/%{name}-%{version}.tar.gz Source2: baselibs.conf ++++++ lzo-2.06.tar.gz -> lzo-2.08.tar.gz ++++++ ++++ 66324 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org