Hi Zhijun, On 2016/5/31 14:45, 刘长鸣 wrote: > Dear Sir/Madam: > I'm a postgraduate student majoring in information security and > I'm very interested in software vulnerabilities, I think it's really > fascinating and I'm doing some research about how to find > vulnerabilities automatically. I have done some tests with Linux bug > commits. And I found that the patch codes ( fixing CVE-2014-4608 ) > didn't appear in the version 3.17.2 to 4.5. I'm just wondering if this Yes, it should not in those stable versions, as the commit 206a81c (lzo: properly check for overruns) is not the right fix, it was reverted in commit af958a38a: commit af958a38a60c7ca3d8a39c918c1baa2ff7b6b233 Author: Willy Tarreau <w@xxxxxx> Date: Sat Sep 27 12:31:36 2014 +0200 Revert "lzo: properly check for overruns" This reverts commit 206a81c ("lzo: properly check for overruns"). As analysed by Willem Pinckaers, this fix is still incomplete on certain rare corner cases, and it is easier to restart from the original code. Reported-by: Willem Pinckaers <willem@xxxxxxxxxxxxxx> Cc: "Don A. Bailey" <donb@xxxxxxxxxxxxxxxxx> Cc: stable <stable@xxxxxxxxxxxxxxx> Signed-off-by: Willy Tarreau <w@xxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> This revert is merged in v3.18-rc1, and I think there is a updated fix for this bug: 72cf901 lzo: check for length overrun in variable length encoding. > means the vulnerability ( CVE-2014-4608 ) recurs in Linux 3.17.2-4.5. > If not, is it fixed in another way? > Thanks for your time, I'll appreciate it very much if you can give > an answer. Just as I mentioned above, commit 72cf901 should be the right fix. Thanks Hanjun -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html