Ubuntu
lz4 package

Bug #1531923
Comment #7

Comment 7 for bug 1531923

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-02-16:

Hello, I reviewed lz4 version 0.0~r131-1 as checked into xenial. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.

- I found two CVEs, CVE-2014-4715 and CVE-2014-4611. One may be specific
to the Linux kernel implementation of lz4 decompression; the other was
an integer overflow issue with unusual architectures.

  While the reporting was poor and lead to very frustrated upstream, Yann
  moved to integrate a fuzzing process into the build alongside other
  extensive test suites. Builds spend far more time testing than building.

- lz4 provides a very fast compression library and tool
- Build-Depends: debhelper
- Does not itself do networking, cryptography
- Does not itself daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuids
- No sudo fragments
- No privieged portions of code
- No udev rules
- No cronjobs
- New lz4 lz4c executables, unlz4 and unlz4cat symlinks
- One lintian error:
E: liblz4-1: postinst-must-call-ldconfig
usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
- Clean build logs

- No subprocesses spawned
- Memory management looked careful
- Files written to are under control of callers
- Logging looked careful
- No environment variables used
- No privileged operations
- No networking
- No cryptography
- No privileged portions of code
- No webkit
- No tmp files
- No PolicyKit
- Clean cppcheck
- Clean shellcheck

lz4 is carefully coded; similar to most codecs or compression algorithms
it's complicated code, but it has a good track record, responsive
upstream, proactive attempts to find and prevent security issues, and the
closest thing I found to a bug is a partially-implemented feature to allow
changing the default suffix away from .lz4:

- LZ4IO_compressMultipleFilenames() and
  LZ4IO_decompressMultipleFilenames() uses a hardcoded
  '+ 20' rather than + suffixSize + 1 + (optional slop space)
- MAXSUFFIXSIZE appears unused
- LZ4IO_decompressMultipleFilenames() hardcodes LZ4_EXTENSION length as
  '4' (via %4s format string)

None of this is security-relevant or even user-facing.

Security team ACK for promoting lz4 to main.

Thanks

Hello, I reviewed lz4 version 0.0~r131-1 as checked into xenial. This
shouldn't be considered a full security audit but rather a quick gauge of
maintainability.

- I found two CVEs, CVE-2014-4715 and CVE-2014-4611. One may be specific
  to the Linux kernel implementation of lz4 decompression; the other was
  an integer overflow issue with unusual architectures.

- lz4 provides a very fast compression library and tool
- Build-Depends: debhelper
- Does not itself do networking, cryptography
- Does not itself daemonize
- No pre/post inst/rm
- No init scripts
- No dbus services
- No setuids
- No sudo fragments
- No privieged portions of code
- No udev rules
- No cronjobs
- New lz4 lz4c executables, unlz4 and unlz4cat symlinks
- One lintian error:
  E: liblz4-1: postinst-must-call-ldconfig
  usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1
- Clean build logs

None of this is security-relevant or even user-facing.

Security team ACK for promoting lz4 to main.

Thanks

Ubuntulz4 package

Comment 7 for bug 1531923

Ubuntu
lz4 package