Re: LMS-2014-06-16-6: LZ4 Core

[P J P <ppandit () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


For the record,
  -> http://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html

Summary: effectively, this post proves that

  - Exploits can be written against current implementations of LZ4
  - Block sizes less than 8MB (and even less than 4MB) can be malicious
  - Certain platforms are more affected than others (primarily RISC: ARM)
  - Protecting against the 16MB and greater flaw was not sufficient

- --
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTtE+wAAoJEN0TPTL+WwQf26AP/2tk/hf0iphw95CQ81FFWR65
oM94rpgVlzOA6TUBvvAOR/umuB7Kee6ws0AGWE/GvW1xrmuuGWrGSuZl0lMoG5uk
Ae5WEyVAbJt1XL4iCBWr9YReTNCE7Y32gcL9AXE7gr3XZdEJ65pI0NMDL+icEUtL
CRmjx67A2HCmOPqCEe7GNozWLZxsQJwFabHhqeC9QRZLRtO18pYwLJLE5B6xB+1u
DvYnNExXj4a8/99sC5KBHg/JDd4a/1bOgGbV+smOAiKoRNIQk3XL2JN/IF6HZWpU
Of/fxdfAHAwlhA7aslASD40ME713ONfb6qsnOKxOdI2aQJucyRuNtz00s+EB9wAu
alqJ2EqGMpVEb5uzdoLLeUoWRJ86EfcYBCF8r/3axupnbgkj7RpCrOhzMjpMUC4N
EmuT06GgzZAA5aIe5+NYFpV7F35kTFgTWy1T1OCoHQGcRLiSbjjITgZ98wonzbeX
AZnAERRAR/YyTOW+TNAph5yIxWghjmVGL6S+5PX89VgcDLr2bOqsDGYoUS3x+8Qj
HgEl8dONGTwT5mHFds987TQcIx12mPZM72zUVWrY93ScuHraHc150soERU2AmKCw
D6fZSUKnJGOn9ymfCztucW4Xv5pOO0WIoLn+v8b+EUJRXTqt5DjmG/5Xut8bB96f
+C2KC4R3rWep5t3J1CuQ
=lMPc
-----END PGP SIGNATURE-----