Ubuntu
lz4 package

[MIR] lz4

Bug #1531923 reported by Julian Andres Klode
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lz4 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

[Availability]
OK

[Rationale]
needed for next APT release and to fix squashfs-tools depwait

[Security]
One CVE so far: http://www.cvedetails.com/product/28069/Yann-Collet-LZ4.html?vendor_id=13512

[Quality assurance]
Small compression library, should be easy to handle.

No bugs in Debian, except for a packaging wish: https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=lz4;dist=unstable

Upstream bugs seem OK, mostly wishes and used as a TODO list:
https://github.com/Cyan4973/lz4/issues
(some small issues in the lz4 tool in liblz4-tool, but nothing really important).

[Dependencies]
Satisfiable

[Standards compliance]
seems ok

[Maintenance]
Actively maintained in debian, also used by zfs and squashfs.

Foundations is now subscribed to bugs for the package.

[Background information]

APT master has just landed support for lz4 compression using liblz4. As such, we need liblz4-1 and -dev promoted to main for the next APT release.

I'm posting this ahead of the APT release so we can get this change reviewed in advance.

Also, squashfs-tools is currently in depwait on liblz4-dev.

See original description

CVE References

Julian Andres Klode (juliank)
description: updated
description: updated
Michael Vogt (mvo)
description: updated
description: updated
Julian Andres Klode (juliank)
description: updated
Julian Andres Klode (juliank)
description: updated
Julian Andres Klode (juliank)
description: updated
Michael Terry (mterry)
Changed in lz4 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Julian Andres Klode (juliank) wrote :

APT 1.2 is now in proposed, not to mention squashfs-tools (since October), so it would be really important to get lz4 into main ASAP.

Revision history for this message
Michael Terry (mterry) wrote :

OK, I'm switching to Seth for the security look-see, because I'm 90% sure that's what Jamie would do. :)

Changed in lz4 (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold)
Revision history for this message
Simon Quigley (tsimonq2) wrote :

This also blocks the build of apt 1.2.1, so I am giving this thread a little nudge.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lz4 (Ubuntu):
status: New → Confirmed
Revision history for this message
Julian Andres Klode (juliank) wrote :

push

Revision history for this message
Julian Andres Klode (juliank) wrote :

The feature freeze is in 2 days. We need lz4 in main before that to have APT 1.2 to go in before that.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello, I reviewed lz4 version 0.0~r131-1 as checked into xenial. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.

- I found two CVEs, CVE-2014-4715 and CVE-2014-4611. One may be specific
  to the Linux kernel implementation of lz4 decompression; the other was
  an integer overflow issue with unusual architectures.

  While the reporting was poor and lead to very frustrated upstream, Yann
  moved to integrate a fuzzing process into the build alongside other
  extensive test suites. Builds spend far more time testing than building.

- lz4 provides a very fast compression library and tool
- Build-Depends: debhelper
- Does not itself do networking, cryptography
- Does not itself daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuids
- No sudo fragments
- No privieged portions of code
- No udev rules
- No cronjobs
- New lz4 lz4c executables, unlz4 and unlz4cat symlinks
- One lintian error:
  E: liblz4-1: postinst-must-call-ldconfig
  usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
- Clean build logs

- No subprocesses spawned
- Memory management looked careful
- Files written to are under control of callers
- Logging looked careful
- No environment variables used
- No privileged operations
- No networking
- No cryptography
- No privileged portions of code
- No webkit
- No tmp files
- No PolicyKit
- Clean cppcheck
- Clean shellcheck

lz4 is carefully coded; similar to most codecs or compression algorithms
it's complicated code, but it has a good track record, responsive
upstream, proactive attempts to find and prevent security issues, and the
closest thing I found to a bug is a partially-implemented feature to allow
changing the default suffix away from .lz4:

- LZ4IO_compressMultipleFilenames() and
  LZ4IO_decompressMultipleFilenames() uses a hardcoded
  '+ 20' rather than + suffixSize + 1 + (optional slop space)
- MAXSUFFIXSIZE appears unused
- LZ4IO_decompressMultipleFilenames() hardcodes LZ4_EXTENSION length as
  '4' (via %4s format string)

None of this is security-relevant or even user-facing.

Security team ACK for promoting lz4 to main.

Thanks

Changed in lz4 (Ubuntu):
assignee: Seth Arnold (seth-arnold) → nobody
Revision history for this message
Michael Terry (mterry) wrote :

Packaging looks good to me, has bug subscribers, runs comprehensive tests, in sync. Seems great!

Changed in lz4 (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Matthias Klose (doko) wrote :

Override component to main
lz4 0.0~r131-1 in xenial: universe/misc -> main
liblz4-1 0.0~r131-1 in xenial amd64: universe/libs/extra/100% -> main
liblz4-1 0.0~r131-1 in xenial arm64: universe/libs/extra/100% -> main
liblz4-1 0.0~r131-1 in xenial armhf: universe/libs/extra/100% -> main
liblz4-1 0.0~r131-1 in xenial i386: universe/libs/extra/100% -> main
liblz4-1 0.0~r131-1 in xenial powerpc: universe/libs/extra/100% -> main
liblz4-1 0.0~r131-1 in xenial ppc64el: universe/libs/extra/100% -> main
liblz4-1 0.0~r131-1 in xenial s390x: universe/libs/extra/100% -> main
liblz4-1-dbg 0.0~r131-1 in xenial amd64: universe/debug/extra/100% -> main
liblz4-1-dbg 0.0~r131-1 in xenial arm64: universe/debug/extra/100% -> main
liblz4-1-dbg 0.0~r131-1 in xenial armhf: universe/debug/extra/100% -> main
liblz4-1-dbg 0.0~r131-1 in xenial i386: universe/debug/extra/100% -> main
liblz4-1-dbg 0.0~r131-1 in xenial powerpc: universe/debug/extra/100% -> main
liblz4-1-dbg 0.0~r131-1 in xenial ppc64el: universe/debug/extra/100% -> main
liblz4-1-dbg 0.0~r131-1 in xenial s390x: universe/debug/extra/100% -> main
liblz4-dev 0.0~r131-1 in xenial amd64: universe/libdevel/extra/100% -> main
liblz4-dev 0.0~r131-1 in xenial arm64: universe/libdevel/extra/100% -> main
liblz4-dev 0.0~r131-1 in xenial armhf: universe/libdevel/extra/100% -> main
liblz4-dev 0.0~r131-1 in xenial i386: universe/libdevel/extra/100% -> main
liblz4-dev 0.0~r131-1 in xenial powerpc: universe/libdevel/extra/100% -> main
liblz4-dev 0.0~r131-1 in xenial ppc64el: universe/libdevel/extra/100% -> main
liblz4-dev 0.0~r131-1 in xenial s390x: universe/libdevel/extra/100% -> main
liblz4-tool 0.0~r131-1 in xenial amd64: universe/utils/extra/100% -> main
liblz4-tool 0.0~r131-1 in xenial arm64: universe/utils/extra/100% -> main
liblz4-tool 0.0~r131-1 in xenial armhf: universe/utils/extra/100% -> main
liblz4-tool 0.0~r131-1 in xenial i386: universe/utils/extra/100% -> main
liblz4-tool 0.0~r131-1 in xenial powerpc: universe/utils/extra/100% -> main
liblz4-tool 0.0~r131-1 in xenial ppc64el: universe/utils/extra/100% -> main
liblz4-tool 0.0~r131-1 in xenial s390x: universe/utils/extra/100% -> main
29 publications overridden.

Changed in lz4 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.