[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Jun 2014 23:21:34 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: LMS-2014-06-16-1: Oberhumer LZO
On ven., 2014-06-27 at 00:28 +0400, Solar Designer wrote:
> Yves-Alexis, can you please post that lengthy list in here?
Sure :)
> Having it
> available right away would be partial justification/excuse for the
> delay in disclosing these issues appropriately. ;-)
While it indeed took some time to do the search, having to contact all
the projects would have been really too long, so I think posting the
list definitely makes sense, in the hope at least some people from those
projects read the list, or some people reading the list will have the
time to file bugs.
I also need to remind the list that I did the checks using
codesearch.debian.net[1,2], which is a really helpful tool for that kind
of things, but:
- only indexes packages from Debian sid (so not upstream, for example)
- doesn't reveal if those embedded codes are actually used.
Still, I find the amount of embedded minilzo libs (for example)
worrying.
Here's the data.
For LZO:
- grub2 [3] embeds minilzo
- busybox [4] embeds minilzo
- syslinux [5] seems to embeds lzo but I'm unsure if the vulnerable code
is really present, I can't find lzo1x_decompress_safe() code
- xen [6] embeds lzo
- chromium embeds lzo through ffmpeg
- valgrind [7] seems to include bits of minilzo but I'm not sure the
vulnerable code is present
- remmina [8] includes minilzo (apparently through libvncserver)
- blender [9] embeds minilzo
- x11vnc embeds minilzo (twice!, through libvncserver [10] and
libvncclient [11])
- italc [12] embeds minilzo
- dump [13] embeds minilzo
- krfb [14] embeds minilzo through libvncserver
- nfdump [15] embeds minilzo
- kino [16] embeds lzo through ffmpeg
- samhain [17] embeds minilzo
- u-boot [18] embeds minilzo decompressor
- icecc [19] emebds minilzo
- bb [20] embeds minilzo
- mednafen [21] embeds minilzo
- ht [22] embeds minilzo
- n2n [23] embeds minilzo
Apparently, libvncserver/libvncclient themselves stopped embedding
minilzo, at least in Debian.
For LZ4:
- pytables [24] embeds lz4
- gtkwave [25] embeds lz4
- php-horde-lz4 [26] embeds lz4
With more generic searches [27,28,29] we can also find some other
traces.
I can find traces of lzo in:
- xine-lib [30] (obsolete, apparently embededed an ffmpeg/libav copy)
And traces of lz4 in:
- grub2 [31](zfs file system support, implementation from Yann Collet
but LZ4_decompress_generic doesn't seem present)
- iceweasel/firefox [32,33] embeds LZ4
- efl [34] (Enlightenment Foundation Library, Yann Collet
implementation, but again LZ4_decompress_generic is not present)
- eet [35] (seems to be an old Enlightenment lib, not sure it's relevant
anymore, embeds the Yann Collet implementation)
- kfreebsd/zfsutils (obviously)
As far as I can tell there's only embedded stuff, no new implementation,
but I might be wrong.
Regards,
[1]: http://codesearch.debian.net/search?q=%28%3Fi%29lzo1._decompress_safe
[2]: http://codesearch.debian.net/search?q=%28%3Fi%29LZ4_decompress_generic
[3]: http://sources.debian.net/src/grub2/2.02~beta2-10/grub-core/lib/minilzo
[4]: http://sources.debian.net/src/busybox/1:1.22.0-6/archival/libarchive/lzo1x_d.c?hl=33#L33
[5]: http://sources.debian.net/src/syslinux/3:6.03~pre17%2Bdfsg-1/lzo/LZO.TXT
[6]: http://sources.debian.net/src/xen/4.3.0-3/xen/common/lzo.c#L303
[7]: http://sources.debian.net/src/valgrind/1:3.9.0-6/coregrind/m_debuginfo/minilzo-inl.c
[8]: http://sources.debian.net/src/remmina/1.0.0-6/remmina-plugins/vnc/libvncserver/common/minilzo.c
[9]: http://sources.debian.net/src/blender/2.70a-2/extern/lzo/minilzo
[10]: http://sources.debian.net/src/x11vnc/0.9.13-1.1/libvncserver/minilzo.c
[11]: http://sources.debian.net/src/x11vnc/0.9.13-1.1/libvncclient/minilzo.c
[12]: http://sources.debian.net/src/italc/1:2.0.1-4/ica/x11/common/minilzo.c
[13]: http://sources.debian.net/src/dump/0.4b44-4/compat/lib/minilzo.c
[14]: http://sources.debian.net/src/krfb/4:4.12.2-2/libvncserver/minilzo.c
[15]: http://sources.debian.net/src/nfdump/1.6.8p1-1/bin/minilzo.c
[16]: http://sources.debian.net/src/kino/1.3.4-2.1/ffmpeg/libavutil/lzo.c
[17]: http://sources.debian.net/src/samhain/3.1.0-6/src/minilzo.c
[18]: http://sources.debian.net/src/u-boot/2014.04%2Bdfsg1-1/lib/lzo/lzo1x_decompress.c
[19]: http://sources.debian.net/src/icecc/1.0.1-1/minilzo/minilzo.c
[20]: http://sources.debian.net/src/bb/1.3rc1-8.1/minilzo.c
[21]: http://sources.debian.net/src/mednafen/0.9.35.1-1/src/compress/minilzo.c
[22]: http://sources.debian.net/src/ht/2.0.22-2/minilzo/minilzo.c
[23]: http://sources.debian.net/src/n2n/1.3.1~svn3789-4/minilzo.c
[24]: http://sources.debian.net/src/pytables/3.1.1-1/c-blosc/internal-complibs/lz4-r113/lz4.c?hl=719#L719
[25]: http://sources.debian.net/src/gtkwave/3.3.60-1/src/helpers/fst/lz4.c#L412
[26]: http://sources.debian.net/src/php-horde-lz4/1.0.3-1/horde_lz4-1.0.3/lz4.c?hl=668#L668
[27]: http://codesearch.debian.net/search?q=%28%3Fi%29LZOcontext
[28]: http://codesearch.debian.net/search?q=%28%3Fi%29LZ4_
[29]: http://codesearch.debian.net/search?q=%28%3Fi%29Yann+Collet
[30]: http://sources.debian.net/src/xine-lib/1.1.21-1+deb7u1/src/libffmpeg/libavcodec/lzo.c
[31]: http://sources.debian.net/src/grub2/2.02~beta2-9/grub-core/fs/zfs/zfs_lz4.c
[32]: http://sources.debian.net/src/iceweasel/30.0-2/toolkit/components/workerlz4/
[33]: http://sources.debian.net/src/iceweasel/30.0-2/mfbt/lz4.c
[34]: http://sources.debian.net/src/efl/1.8.6-2/src/static_libs/lz4
[35]: https://github.com/kakaroto/e17/tree/master/eet/src/lib/lz4
--
Yves-Alexis
Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
