oss-sec mailing list archives
Re: LMS-2014-06-16-5: Linux Kernel LZ4
From: P J P <ppandit () redhat com>
Date: Thu, 3 Jul 2014 00:03:00 +0530 (IST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, +-- On Fri, 27 Jun 2014, P J P wrote --+ | It's been discussed in the other thread, yet just for the record, a reply | from the upstream author: | | +-- On Fri, 27 Jun 2014 Yann Collet wrote --+ | |Hi Prasad | | | |Nope, latest lz4 release is not affected. | |Moreover, even the linux kernel implementation is safe, for now. For the record: -> http://blog.securitymouse.com/2014/07/i-was-wrong-proving-lz4-exploitable.html Summary: effectively, this post proves that - Exploits can be written against current implementations of LZ4 - Block sizes less than 8MB (and even less than 4MB) can be malicious - Certain platforms are more affected than others (primarily RISC: ARM) - Protecting against the 16MB and greater flaw was not sufficient - -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTtFBcAAoJEN0TPTL+WwQftO8P+wZ/Qjm4xEb2R1AYqRmIgoYf zbzUbPxaiuELv++63gkqb6DcKx9mwzDqxtk06ms6h25DTm+yQhqP4drwD4vg26kZ g1H/cfB1sokdv/z+bqwjZG+AqP0IcJSuttWzQA6/0+3hkj1DUEtSaKoeJcogKUaq lQQ3eRgLOvHBJHxmvHi326r31GAf8MrfeyupZabkDElEmJsXj6NwmUjeR1p8WcEN gV5QfZlGPtT+kLfdRZEy8NuwiTHxn61qkeEsLyNMXfjCaIeTSXqIGdoBJC0dbW+D 7LLOWGulwoQszuxRbg/3rKT+UgGymhD4wnzTE/j+59M/dIHIIcAio8CNWq3xvtFK 2Tl6/cHnmhdPdTOnNcy/FTkhRR00YD37sgMajyXLW+IfZW0CEJDXpHuH1+1WtmIP 8gKJwKCEJLH9JormXbYjUGqVEvgxsaye6DFG5/qjk89126JeIEOGmIUc/pBhxJQc FhyRB29uQug7Xd2YSyos51CjsOVpStfgFLhJHgRkLuAN3CV1kc5fIiD4UCWO/NmM dLg8XdQorEP4uuFBh5kLEte9x4vWJwYnNXhuwA4XSLPaFvwpRlbq8W67Dz+SaZlT t38aUr6Aml+G9fJZadth3oIESWmVWe9mnKiLu7iwzLMo05hRy7ODUTkAVWrDuoU/ +CX9A4GefwYxk02c9NBZ =4WV7 -----END PGP SIGNATURE-----
Current thread:
- Re: LMS-2014-06-16-5: Linux Kernel LZ4 P J P (Jul 02)
- Re: LMS-2014-06-16-5: Linux Kernel LZ4 P J P (Jul 03)