Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 28 Jun 2014 09:36:46 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: "H. Peter Anvin" <hpa@...or.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: LMS-2014-06-16-1: Oberhumer LZO

On ven., 2014-06-27 at 14:46 -0700, H. Peter Anvin wrote:
> On 06/26/2014 02:21 PM, Yves-Alexis Perez wrote:
> > - syslinux [5] seems to embeds lzo but I'm unsure if the vulnerable
> > code is really present, I can't find lzo1x_decompress_safe() code
> 
> For the record, I just upgraded Syslinux to LZO 2.07.  The only code
> that ends up in the Syslinux build at all changed only in comments and
> in #if'd out code. 

Thanks for the investigation. Is there a reason not to link with lzo
instead of embedding it?

>  The only use of LZO is in the Syslinux core, which
> uses the assembly LZO implementation, which seems to have been unaffected.

Good point, my searches indeed usually don't include any non-C
implementation, which might or might not be affected.
> 
> Syslinux does not use LZO on arbitrary data.

Thanks, so that's three reasons syslinux itself is not affected:

- embedded LZO didn't contain the affected code;
- syslinux core LZO assembly implementation is not touched;
- LZO is done only on controlled data (not under anyone control?)

Regards,
-- 
Yves-Alexis

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ