Date: Sat, 28 Jun 2014 09:36:46 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: "H. Peter Anvin" <hpa@...or.com> Cc: oss-security@...ts.openwall.com Subject: Re: LMS-2014-06-16-1: Oberhumer LZO On ven., 2014-06-27 at 14:46 -0700, H. Peter Anvin wrote: > On 06/26/2014 02:21 PM, Yves-Alexis Perez wrote: > > - syslinux  seems to embeds lzo but I'm unsure if the vulnerable > > code is really present, I can't find lzo1x_decompress_safe() code > > For the record, I just upgraded Syslinux to LZO 2.07. The only code > that ends up in the Syslinux build at all changed only in comments and > in #if'd out code. Thanks for the investigation. Is there a reason not to link with lzo instead of embedding it? > The only use of LZO is in the Syslinux core, which > uses the assembly LZO implementation, which seems to have been unaffected. Good point, my searches indeed usually don't include any non-C implementation, which might or might not be affected. > > Syslinux does not use LZO on arbitrary data. Thanks, so that's three reasons syslinux itself is not affected: - embedded LZO didn't contain the affected code; - syslinux core LZO assembly implementation is not touched; - LZO is done only on controlled data (not under anyone control?) Regards, -- Yves-Alexis Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ