Re: LMS-2014-06-16-5: Linux Kernel LZ4

[P J P <ppandit () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   Hello,

+-- On Fri, 27 Jun 2014, P J P wrote --+
|   It's been discussed in the other thread, yet just for the record, a reply 
| from the upstream author:
| 
| +-- On Fri, 27 Jun 2014 Yann Collet wrote --+
| |Hi Prasad
| |
| |Nope, latest lz4 release is not affected.
| |Moreover, even the linux kernel implementation is safe, for now.

For the record:
  -> http://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html

Summary: effectively, this post proves that

  - Exploits can be written against current implementations of LZ4
  - Block sizes less than 8MB (and even less than 4MB) can be malicious
  - Certain platforms are more affected than others (primarily RISC: ARM)
  - Protecting against the 16MB and greater flaw was not sufficient

- --
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTtFBcAAoJEN0TPTL+WwQftO8P+wZ/Qjm4xEb2R1AYqRmIgoYf
zbzUbPxaiuELv++63gkqb6DcKx9mwzDqxtk06ms6h25DTm+yQhqP4drwD4vg26kZ
g1H/cfB1sokdv/z+bqwjZG+AqP0IcJSuttWzQA6/0+3hkj1DUEtSaKoeJcogKUaq
lQQ3eRgLOvHBJHxmvHi326r31GAf8MrfeyupZabkDElEmJsXj6NwmUjeR1p8WcEN
gV5QfZlGPtT+kLfdRZEy8NuwiTHxn61qkeEsLyNMXfjCaIeTSXqIGdoBJC0dbW+D
7LLOWGulwoQszuxRbg/3rKT+UgGymhD4wnzTE/j+59M/dIHIIcAio8CNWq3xvtFK
2Tl6/cHnmhdPdTOnNcy/FTkhRR00YD37sgMajyXLW+IfZW0CEJDXpHuH1+1WtmIP
8gKJwKCEJLH9JormXbYjUGqVEvgxsaye6DFG5/qjk89126JeIEOGmIUc/pBhxJQc
FhyRB29uQug7Xd2YSyos51CjsOVpStfgFLhJHgRkLuAN3CV1kc5fIiD4UCWO/NmM
dLg8XdQorEP4uuFBh5kLEte9x4vWJwYnNXhuwA4XSLPaFvwpRlbq8W67Dz+SaZlT
t38aUr6Aml+G9fJZadth3oIESWmVWe9mnKiLu7iwzLMo05hRy7ODUTkAVWrDuoU/
+CX9A4GefwYxk02c9NBZ
=4WV7
-----END PGP SIGNATURE-----