oss-sec mailing list archives
Re: LMS-2014-06-16-1: Oberhumer LZO
From: Solar Designer <solar () openwall com>
Date: Fri, 27 Jun 2014 00:28:20 +0400
On Thu, Jun 26, 2014 at 12:51:32PM -0600, Don A. Bailey wrote:
This is to inform you of a security flaw in the Oberhumer LZO algorithm, typically packaged as liblzo2 or lzo-2. Please read the bug report inline.
Thank you for posting this and the other 5 bug reports. I think it's also helpful to link to your blog post: "Raising Lazarus - The 20 Year Old Bug that Went to Mars" http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html Don brought these issues to the distros list at "Mon Jun 23 16:57 UTC", and they were already being patched by some of the affected projects at the time - thus, (semi?)-public. We argued for a while whether it's appropriate to wait for more of the projects to have patches ready, or to post to oss-security and other high-visibility places right away. Initially, I asked that the issues be posted at least to oss-security, as per distros list policy for public disclosure, within 24 hours. However, as we know there ended up being a 4 day delay. While this time wasn't "wasted" - more patches were being produced, and Yves-Alexis Perez of Debian came up with a lengthy list of projects that have the affected code embedded - I do acknowledge that it's a violation of the distros list policy, and I apologize for it. I'd appreciate guidance from the oss-security community on how to deal with such cases going forward: the person reporting a vulnerability willing to wait for more projects to have it patched vs. the already (semi?)-public nature of the vulnerability via commits, etc. by some of the projects. Is letting the vulnerability stay in the limbo for 4 days acceptable, or is it too much? My initial gut feeling was "24 hours max", which I communicated to Don and to distros list, but as we can see actual disclosure occurred 4 days later. (I did send a ping earlier today, but I think the disclosure would have been today anyway.) Should I have pushed harder? Should I have posted to oss-security myself (as a BOFH list admin enforcing a policy), overriding others' preferences and reasoning? Yves-Alexis, can you please post that lengthy list in here? Having it available right away would be partial justification/excuse for the delay in disclosing these issues appropriately. ;-) Thanks, Alexander
Current thread:
- LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Yves-Alexis Perez (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO H. Peter Anvin (Jun 27)
- Re: LMS-2014-06-16-1: Oberhumer LZO Yves-Alexis Perez (Jun 28)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)