Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jun 2014 15:02:02 +0530 (IST)
From: P J P <ppandit@...hat.com>
To: oss security list <oss-security@...ts.openwall.com>
Subject: Re: LMS-2014-06-16-5: Linux Kernel LZ4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

   Hi,

+-- On Fri, 27 Jun 2014, Eddie Chapman wrote --+
| I think it's worth pointing out that the Linux kernel only introduced LZ4 
| support in 3.11. This is why from the new kernel.org stable releases 
| yesterday, only 3.14.9 and 3.15.2 contain the LZ4 patch. 3.10.45 and 3.4.95 
| don't.

  It's been discussed in the other thread, yet just for the record, a reply 
from the upstream author:

+-- On Fri, 27 Jun 2014 Yann Collet wrote --+
|Hi Prasad
|
|Nope, latest lz4 release is not affected.
|
|
|Moreover, even the linux kernel implementation is safe, for now. To trigger 
|the risk, the program calling the lz4 linux kernel implementation must feed 
|the decoder with blocks of more than 8 MB. None of them is doing that right 
|now, so it's not exploitable.
|
|However, it's true that, in the future, maybe one program may wander into  
|this area. So it's a good thing to update the LZ4 implementation today, 
|before the risk get potentially exposed by a yet unknown future program.
|
|
|I feel this version of the story should be more widely answered. The current  
|risk has been overblown. If you have some way to answer to the sec-list 
|article you linked to, could you please make it known ? In the meantime, I'm 
|in contact with Greg k-h, to make sure the linux kernel implementation will 
|get fixed for the next Linux release.
|
|Best regards
|

Thank you.
- --
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTrToSAAoJEN0TPTL+WwQfJ84P/1NW/X6voek0O8LAEsu5Jkiv
DE/nV6ByNV5kFNe9K+CG4QOeojRe9mYftwc/6F7eWKVZh7Q+qn3Slh2FhQMRY4R3
AbsvDAKLTpJWVxkqjtJR91tV2/yOA2avkg413qRD6agszJqydG2z9Zapt1jmVmTc
UbvNlLUrEgVNBL1yd9dMNoQ0iLtYyja1EYw7IPejKhzIyry8MxUbnCXWQOysCXTT
HSJwJyVOgX0UE2OOEOKOqscsKa7R62XQxYkcWswGY+WUYXJvETx12Zydu2umB4f1
RsJS3MyJMoi1FL+s+sNy3WQvbdv93VFpD1GOwF4Hv2sS7aaaQN9k/HfhCGBuz58Q
dprPZMh+DD6LioUEdrHzjWivx5kn/jusgVthW0kE0rSHR++vEGwXqNx6HW9yyu/0
ApApxc/UrkMwHFDh5yHg2dxleGhogM4kKHCFD/dLnKNyM1AGKD4mocY1aVW6ufRI
teqRXiK4NhCV9voJdbBXO+6QLL/A+2DVUlfJJ8DYKByGC8YnPNSjsH11oFs4ySFM
6aQ29iFHi/rggqOyXW6hxPl+ugT2KDrStDfI72Ne/xmM47HYK/WwxjqJ6o7QCtYT
ld24vu2Xb51vYAlu2WcK66epm8AAxj4VWhB8U+16AGRZSmkHbfQOTJJ0d8YTR/uM
gS0ASQzncWHgm8NxMD27
=BneN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ