Date: Wed, 21 Dec 2016 20:46:43 +0000 From: tapper <lancett01@...glemail.com> To: oss-security@...ts.openwall.com Subject: Re: Curious about the security of my router fermwair. Thanks very much for this I will pass this on to the devs. I don't see this being much of a problem I will make a pr. I scanned my device with nmap and didn't find any thing open that should not be so that makes me happy :) On 21/12/2016 20:07, Seth Arnold wrote: > On Wed, Dec 21, 2016 at 11:39:26AM +0000, tapper wrote: >> Hi my name is Jonathan. I don't know if this is the write place to ask >> about this but here gos. > > It's not the usual use of this list but I suspect you won't upset many > people either. > >> I would like to know if any one would like to have a poke around at the >> third party router firmware I use on my router called Gargoyle. > > The first item I found in about one minute of inspection is that they > include an utterly ancient version of ffmpeg: > > https://github.com/ericpaulbishop/gargoyle/blob/master/package/ffmpeg/Makefile#L10 > > PKG_NAME:=ffmpeg > PKG_VERSION:=2.4.4 > PKG_RELEASE:=1 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 > PKG_SOURCE_URL:=http://ffmpeg.org/releases/ > PKG_MD5SUM:=7e2819c71484ffba1ba1a91dd5285643 > > The 2.4 branch of ffmpeg ended with version 2.4.13 on 2016-02-02. Not > only are they nine point releases behind, they are also drastically > behind on shipping newer versions entirely. (The latest version upstream > is numbered 3.2.2. That's seven minor versions behind, too.) Granted, > new versions bring new bugs, but picking one point in time two years > ago and then never updating is trouble. > > I didn't spot any security fixes for ffmpeg in the patches-generic or > patches-old directories, but perhaps they just weren't clearly labeled. > > Another concerning point is the use of md5 to validate the download. While > use of md5 as a 'better crc32' is well established, most cryptographic > authorities are saying it's time to replace md5's replacement, sha-1. > They're two hash functions behind the times. > > A full review would take far more time than I have to offer but the > initial impression is that it needs a serious refresh of its dependencies. > > Thanks >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ