Forgot your password?
typodupeerror
Security Software

Are the Hard-to-Exploit Bugs In LZO Compression Algorithm Just Hype? 65

Posted by timothy
from the you'll-never-feel-it dept.
NotInHere (3654617) writes In 1996, Markus F. X. J. Oberhumer wrote an implementation of the Lempel–Ziv compression, which is used in various places like the Linux kernel, libav, openVPN, and the Curiosity rover. As security researchers have found out, the code contained integer overflow and buffer overrun vulnerabilities, in the part of the code that was responsible for processing uncompressed parts of the data. Those vulnerabilities are, however, very hard to exploit, and their scope is dependent on the actual implementation. According to Oberhumer, the problem only affects 32-bit systems. "I personally do not know about any client program that actually is affected", Oberhumer sais, calling the news about the possible security issue a media hype.
This discussion has been archived. No new comments can be posted.

Are the Hard-to-Exploit Bugs In LZO Compression Algorithm Just Hype?

Comments Filter:
  • Re:Kernel bloat (Score:5, Informative)

    by BitZtream (692029) on Saturday June 28, 2014 @03:13PM (#47341831)

    Compressed memory? Filesystem compression? Compressed memory before swap? Compressed init filesystem?

    Lots of valid reasons. Those are just the ones that I know of off the top of my head and I don't even use Linux.

  • Famous last words (Score:5, Informative)

    by 93 Escort Wagon (326346) on Saturday June 28, 2014 @03:21PM (#47341871)

    I'm old enough to recall when many people argued we didn't have to worry about various (then theoretical) JPEG vulnerabilities because they would be "extremely hard to exploit". But once it becomes known that something is possible, people have repeatedly proven themselves extremely clever in figuring out how to accomplish it.

    If I was on the Rover team, I might not worry - but terrestrial users of LZO compression should at least start thinking about how to ameliorate this.

  • by Sits (117492) on Saturday June 28, 2014 @04:14PM (#47342109) Homepage Journal

    Whether you consider this issue is hype depends on your answer to "if a tree falls in a forest and there's no one to observe it..." thought experiment.

    The author of LZ4 has a summary with regards to LZ4 [blogspot.co.uk] (both LZO and LZ4 are based on the LZ77 compression and both contained the same flaw) - that the issue has not been demonstrated as being exploitable in currently deployed programs due to their configuration (a rather angrier redacted original reply was originally posted [blogspot.co.uk]). So at present this issue is severe but of low importance. If a way is found to exploit this problem on currently deployed popular programs without changing their configuration then this issue will also be of high importance but since this issue has now been patched hopefully newly deployed systems wouldn't be vulnerable.

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]

Working...