oss-sec mailing list archives
Re: LMS-2014-06-16-1: Oberhumer LZO
From: Yves-Alexis Perez <corsac () debian org>
Date: Thu, 26 Jun 2014 23:21:34 +0200
On ven., 2014-06-27 at 00:28 +0400, Solar Designer wrote:
Yves-Alexis, can you please post that lengthy list in here?
Sure :)
Having it available right away would be partial justification/excuse for the delay in disclosing these issues appropriately. ;-)
While it indeed took some time to do the search, having to contact all the projects would have been really too long, so I think posting the list definitely makes sense, in the hope at least some people from those projects read the list, or some people reading the list will have the time to file bugs. I also need to remind the list that I did the checks using codesearch.debian.net[1,2], which is a really helpful tool for that kind of things, but: - only indexes packages from Debian sid (so not upstream, for example) - doesn't reveal if those embedded codes are actually used. Still, I find the amount of embedded minilzo libs (for example) worrying. Here's the data. For LZO: - grub2 [3] embeds minilzo - busybox [4] embeds minilzo - syslinux [5] seems to embeds lzo but I'm unsure if the vulnerable code is really present, I can't find lzo1x_decompress_safe() code - xen [6] embeds lzo - chromium embeds lzo through ffmpeg - valgrind [7] seems to include bits of minilzo but I'm not sure the vulnerable code is present - remmina [8] includes minilzo (apparently through libvncserver) - blender [9] embeds minilzo - x11vnc embeds minilzo (twice!, through libvncserver [10] and libvncclient [11]) - italc [12] embeds minilzo - dump [13] embeds minilzo - krfb [14] embeds minilzo through libvncserver - nfdump [15] embeds minilzo - kino [16] embeds lzo through ffmpeg - samhain [17] embeds minilzo - u-boot [18] embeds minilzo decompressor - icecc [19] emebds minilzo - bb [20] embeds minilzo - mednafen [21] embeds minilzo - ht [22] embeds minilzo - n2n [23] embeds minilzo Apparently, libvncserver/libvncclient themselves stopped embedding minilzo, at least in Debian. For LZ4: - pytables [24] embeds lz4 - gtkwave [25] embeds lz4 - php-horde-lz4 [26] embeds lz4 With more generic searches [27,28,29] we can also find some other traces. I can find traces of lzo in: - xine-lib [30] (obsolete, apparently embededed an ffmpeg/libav copy) And traces of lz4 in: - grub2 [31](zfs file system support, implementation from Yann Collet but LZ4_decompress_generic doesn't seem present) - iceweasel/firefox [32,33] embeds LZ4 - efl [34] (Enlightenment Foundation Library, Yann Collet implementation, but again LZ4_decompress_generic is not present) - eet [35] (seems to be an old Enlightenment lib, not sure it's relevant anymore, embeds the Yann Collet implementation) - kfreebsd/zfsutils (obviously) As far as I can tell there's only embedded stuff, no new implementation, but I might be wrong. Regards, [1]: http://codesearch.debian.net/search?q=%28%3Fi%29lzo1._decompress_safe [2]: http://codesearch.debian.net/search?q=%28%3Fi%29LZ4_decompress_generic [3]: http://sources.debian.net/src/grub2/2.02~beta2-10/grub-core/lib/minilzo [4]: http://sources.debian.net/src/busybox/1:1.22.0-6/archival/libarchive/lzo1x_d.c?hl=33#L33 [5]: http://sources.debian.net/src/syslinux/3:6.03~pre17%2Bdfsg-1/lzo/LZO.TXT [6]: http://sources.debian.net/src/xen/4.3.0-3/xen/common/lzo.c#L303 [7]: http://sources.debian.net/src/valgrind/1:3.9.0-6/coregrind/m_debuginfo/minilzo-inl.c [8]: http://sources.debian.net/src/remmina/1.0.0-6/remmina-plugins/vnc/libvncserver/common/minilzo.c [9]: http://sources.debian.net/src/blender/2.70a-2/extern/lzo/minilzo [10]: http://sources.debian.net/src/x11vnc/0.9.13-1.1/libvncserver/minilzo.c [11]: http://sources.debian.net/src/x11vnc/0.9.13-1.1/libvncclient/minilzo.c [12]: http://sources.debian.net/src/italc/1:2.0.1-4/ica/x11/common/minilzo.c [13]: http://sources.debian.net/src/dump/0.4b44-4/compat/lib/minilzo.c [14]: http://sources.debian.net/src/krfb/4:4.12.2-2/libvncserver/minilzo.c [15]: http://sources.debian.net/src/nfdump/1.6.8p1-1/bin/minilzo.c [16]: http://sources.debian.net/src/kino/1.3.4-2.1/ffmpeg/libavutil/lzo.c [17]: http://sources.debian.net/src/samhain/3.1.0-6/src/minilzo.c [18]: http://sources.debian.net/src/u-boot/2014.04%2Bdfsg1-1/lib/lzo/lzo1x_decompress.c [19]: http://sources.debian.net/src/icecc/1.0.1-1/minilzo/minilzo.c [20]: http://sources.debian.net/src/bb/1.3rc1-8.1/minilzo.c [21]: http://sources.debian.net/src/mednafen/0.9.35.1-1/src/compress/minilzo.c [22]: http://sources.debian.net/src/ht/2.0.22-2/minilzo/minilzo.c [23]: http://sources.debian.net/src/n2n/1.3.1~svn3789-4/minilzo.c [24]: http://sources.debian.net/src/pytables/3.1.1-1/c-blosc/internal-complibs/lz4-r113/lz4.c?hl=719#L719 [25]: http://sources.debian.net/src/gtkwave/3.3.60-1/src/helpers/fst/lz4.c#L412 [26]: http://sources.debian.net/src/php-horde-lz4/1.0.3-1/horde_lz4-1.0.3/lz4.c?hl=668#L668 [27]: http://codesearch.debian.net/search?q=%28%3Fi%29LZOcontext [28]: http://codesearch.debian.net/search?q=%28%3Fi%29LZ4_ [29]: http://codesearch.debian.net/search?q=%28%3Fi%29Yann+Collet [30]: http://sources.debian.net/src/xine-lib/1.1.21-1+deb7u1/src/libffmpeg/libavcodec/lzo.c [31]: http://sources.debian.net/src/grub2/2.02~beta2-9/grub-core/fs/zfs/zfs_lz4.c [32]: http://sources.debian.net/src/iceweasel/30.0-2/toolkit/components/workerlz4/ [33]: http://sources.debian.net/src/iceweasel/30.0-2/mfbt/lz4.c [34]: http://sources.debian.net/src/efl/1.8.6-2/src/static_libs/lz4 [35]: https://github.com/kakaroto/e17/tree/master/eet/src/lib/lz4 -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Don A. Bailey (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO Yves-Alexis Perez (Jun 26)
- Re: LMS-2014-06-16-1: Oberhumer LZO H. Peter Anvin (Jun 27)
- Re: LMS-2014-06-16-1: Oberhumer LZO Yves-Alexis Perez (Jun 28)
- Re: LMS-2014-06-16-1: Oberhumer LZO Solar Designer (Jun 26)