Another LZ4 Security Issue Analyzed
At the end of June I mentioned LZO and LZ4 security issues were uncovered while coming to light in the past week was another potential LZ4 security vulnerability for the lossless data compression library.
Phoronix reader OxBADCODE wrote in today explaining, "Another security issue has been found in LZ4 compression library. Buzz around LZ4 and LZO security issues has caused even more thorough code review of LZ4 library. As the result it has been discovered that in some rare circumstances LZ4 can potentially perform undesired memory accesses, which can be security issue on some architectures. This bug is hard to use for practical purposes, only happens on 32-bit architectures and only affects some of them (to the date its only known it could be potentially usable to conduct attacks on ARM). However, it still can be good idea to update LZ4 lib to newer version, r119, where this problem has been corrected."
The latest LZ4 security issue mentioned is this bug and analyzed in greater detail via this blog post.
Phoronix reader OxBADCODE wrote in today explaining, "Another security issue has been found in LZ4 compression library. Buzz around LZ4 and LZO security issues has caused even more thorough code review of LZ4 library. As the result it has been discovered that in some rare circumstances LZ4 can potentially perform undesired memory accesses, which can be security issue on some architectures. This bug is hard to use for practical purposes, only happens on 32-bit architectures and only affects some of them (to the date its only known it could be potentially usable to conduct attacks on ARM). However, it still can be good idea to update LZ4 lib to newer version, r119, where this problem has been corrected."
The latest LZ4 security issue mentioned is this bug and analyzed in greater detail via this blog post.
7 Comments