Another LZ4 Security Issue Analyzed

Written by Michael Larabel in Linux Security on 13 July 2014 at 10:19 PM EDT. 7 Comments
LINUX SECURITY
At the end of June I mentioned LZO and LZ4 security issues were uncovered while coming to light in the past week was another potential LZ4 security vulnerability for the lossless data compression library.

Phoronix reader OxBADCODE wrote in today explaining, "Another security issue has been found in LZ4 compression library. Buzz around LZ4 and LZO security issues has caused even more thorough code review of LZ4 library. As the result it has been discovered that in some rare circumstances LZ4 can potentially perform undesired memory accesses, which can be security issue on some architectures. This bug is hard to use for practical purposes, only happens on 32-bit architectures and only affects some of them (to the date its only known it could be potentially usable to conduct attacks on ARM). However, it still can be good idea to update LZ4 lib to newer version, r119, where this problem has been corrected."

The latest LZ4 security issue mentioned is this bug and analyzed in greater detail via this blog post.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week