Hello, I reviewed lz4 version 0.0~r131-1 as checked into xenial. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.
- I found two CVEs, CVE-2014-4715 and CVE-2014-4611. One may be specific
to the Linux kernel implementation of lz4 decompression; the other was
an integer overflow issue with unusual architectures.
While the reporting was poor and lead to very frustrated upstream, Yann
moved to integrate a fuzzing process into the build alongside other
extensive test suites. Builds spend far more time testing than building.
- lz4 provides a very fast compression library and tool
- Build-Depends: debhelper
- Does not itself do networking, cryptography
- Does not itself daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuids
- No sudo fragments
- No privieged portions of code
- No udev rules
- No cronjobs
- New lz4 lz4c executables, unlz4 and unlz4cat symlinks
- One lintian error:
E: liblz4-1: postinst-must-call-ldconfig
usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
- Clean build logs
- No subprocesses spawned
- Memory management looked careful
- Files written to are under control of callers
- Logging looked careful
- No environment variables used
- No privileged operations
- No networking
- No cryptography
- No privileged portions of code
- No webkit
- No tmp files
- No PolicyKit
- Clean cppcheck
- Clean shellcheck
lz4 is carefully coded; similar to most codecs or compression algorithms
it's complicated code, but it has a good track record, responsive
upstream, proactive attempts to find and prevent security issues, and the
closest thing I found to a bug is a partially-implemented feature to allow
changing the default suffix away from .lz4:
- LZ4IO_compressMultipleFilenames() and
LZ4IO_decompressMultipleFilenames() uses a hardcoded
'+ 20' rather than + suffixSize + 1 + (optional slop space)
- MAXSUFFIXSIZE appears unused
- LZ4IO_decompressMultipleFilenames() hardcodes LZ4_EXTENSION length as
'4' (via %4s format string)
None of this is security-relevant or even user-facing.
Hello, I reviewed lz4 version 0.0~r131-1 as checked into xenial. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.
- I found two CVEs, CVE-2014-4715 and CVE-2014-4611. One may be specific
to the Linux kernel implementation of lz4 decompression; the other was
an integer overflow issue with unusual architectures.
While the reporting was poor and lead to very frustrated upstream, Yann
moved to integrate a fuzzing process into the build alongside other
extensive test suites. Builds spend far more time testing than building.
- lz4 provides a very fast compression library and tool must-call- ldconfig x86_64- linux-gnu/ liblz4. so.1.7. 1
- Build-Depends: debhelper
- Does not itself do networking, cryptography
- Does not itself daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuids
- No sudo fragments
- No privieged portions of code
- No udev rules
- No cronjobs
- New lz4 lz4c executables, unlz4 and unlz4cat symlinks
- One lintian error:
E: liblz4-1: postinst-
usr/lib/
- Clean build logs
- No subprocesses spawned
- Memory management looked careful
- Files written to are under control of callers
- Logging looked careful
- No environment variables used
- No privileged operations
- No networking
- No cryptography
- No privileged portions of code
- No webkit
- No tmp files
- No PolicyKit
- Clean cppcheck
- Clean shellcheck
lz4 is carefully coded; similar to most codecs or compression algorithms implemented feature to allow
it's complicated code, but it has a good track record, responsive
upstream, proactive attempts to find and prevent security issues, and the
closest thing I found to a bug is a partially-
changing the default suffix away from .lz4:
- LZ4IO_compressM ultipleFilename s() and decompressMulti pleFilenames( ) uses a hardcoded sMultipleFilena mes() hardcodes LZ4_EXTENSION length as
LZ4IO_
'+ 20' rather than + suffixSize + 1 + (optional slop space)
- MAXSUFFIXSIZE appears unused
- LZ4IO_decompres
'4' (via %4s format string)
None of this is security-relevant or even user-facing.
Security team ACK for promoting lz4 to main.
Thanks