Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Dec 2016 20:46:43 +0000
From: tapper <lancett01@...glemail.com>
To: oss-security@...ts.openwall.com
Subject: Re: Curious about the security of my router fermwair.

Thanks very much for this I will pass this on to the devs. I don't see 
this being much of a problem I will make a pr. I scanned my device with 
nmap and didn't find any thing open that should not be so that makes me 
happy :)


On 21/12/2016 20:07, Seth Arnold wrote:
> On Wed, Dec 21, 2016 at 11:39:26AM +0000, tapper wrote:
>> 	Hi my name is Jonathan. I don't know if this is the write place to ask
>> about this but here gos.
>
> It's not the usual use of this list but I suspect you won't upset many
> people either.
>
>> I would like to know if any one would like to have a poke around at the
>> third party router firmware I use on my router called Gargoyle.
>
> The first item I found in about one minute of inspection is that they
> include an utterly ancient version of ffmpeg:
>
> https://github.com/ericpaulbishop/gargoyle/blob/master/package/ffmpeg/Makefile#L10
>
> PKG_NAME:=ffmpeg
> PKG_VERSION:=2.4.4
> PKG_RELEASE:=1
>
> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
> PKG_SOURCE_URL:=http://ffmpeg.org/releases/
> PKG_MD5SUM:=7e2819c71484ffba1ba1a91dd5285643
>
> The 2.4 branch of ffmpeg ended with version 2.4.13 on 2016-02-02. Not
> only are they nine point releases behind, they are also drastically
> behind on shipping newer versions entirely. (The latest version upstream
> is numbered 3.2.2. That's seven minor versions behind, too.) Granted,
> new versions bring new bugs, but picking one point in time two years
> ago and then never updating is trouble.
>
> I didn't spot any security fixes for ffmpeg in the patches-generic or
> patches-old directories, but perhaps they just weren't clearly labeled.
>
> Another concerning point is the use of md5 to validate the download. While
> use of md5 as a 'better crc32' is well established, most cryptographic
> authorities are saying it's time to replace md5's replacement, sha-1.
> They're two hash functions behind the times.
>
> A full review would take far more time than I have to offer but the
> initial impression is that it needs a serious refresh of its dependencies.
>
> Thanks
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ