oss-sec mailing list archives

Re: LMS-2014-06-16-1: Oberhumer LZO

From: Solar Designer <solar () openwall com>
Date: Fri, 27 Jun 2014 00:28:20 +0400

On Thu, Jun 26, 2014 at 12:51:32PM -0600, Don A. Bailey wrote:

This is to inform you of a security flaw in the Oberhumer LZO algorithm,
typically packaged as liblzo2 or lzo-2. Please read the bug report inline.


Thank you for posting this and the other 5 bug reports.  I think it's
also helpful to link to your blog post:

"Raising Lazarus - The 20 Year Old Bug that Went to Mars"
http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html

Don brought these issues to the distros list at "Mon Jun 23 16:57 UTC",
and they were already being patched by some of the affected projects at
the time - thus, (semi?)-public.  We argued for a while whether it's
appropriate to wait for more of the projects to have patches ready, or
to post to oss-security and other high-visibility places right away.
Initially, I asked that the issues be posted at least to oss-security,
as per distros list policy for public disclosure, within 24 hours.
However, as we know there ended up being a 4 day delay.  While this time
wasn't "wasted" - more patches were being produced, and Yves-Alexis
Perez of Debian came up with a lengthy list of projects that have the
affected code embedded - I do acknowledge that it's a violation of the
distros list policy, and I apologize for it.

I'd appreciate guidance from the oss-security community on how to deal
with such cases going forward: the person reporting a vulnerability
willing to wait for more projects to have it patched vs. the already
(semi?)-public nature of the vulnerability via commits, etc. by some of
the projects.  Is letting the vulnerability stay in the limbo for 4 days
acceptable, or is it too much?  My initial gut feeling was "24 hours
max", which I communicated to Don and to distros list, but as we can see
actual disclosure occurred 4 days later.  (I did send a ping earlier
today, but I think the disclosure would have been today anyway.)  Should
I have pushed harder?  Should I have posted to oss-security myself (as a
BOFH list admin enforcing a policy), overriding others' preferences and
reasoning?

Yves-Alexis, can you please post that lengthy list in here?  Having it
available right away would be partial justification/excuse for the
delay in disclosing these issues appropriately. ;-)

Thanks,

Alexander

Current thread:

LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)
  - Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
    - Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)
    - Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
  - Re: LMS-2014-06-16-1: Oberhumer LZO Yves-Alexis Perez (Jun 26)
    - Re: LMS-2014-06-16-1: Oberhumer LZO H. Peter Anvin (Jun 27)
    - Re: LMS-2014-06-16-1: Oberhumer LZO Yves-Alexis Perez (Jun 28)