Permalink
4 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Use LZ4_decompress_safe instead of LZ4_uncompress
LZ4_uncompress is deprecated and has security problems.
- Loading branch information
Showing
1 changed file
with
6 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
199f5f7There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is technically incorrect. LZ4_decompress_safe was also proven exploitable in the same way that LZ4_uncompress variants is exploitable. LZ4_decompress_safe has no additional security protections in versions of LZ4 prior to r119. Versions of LZ4 >= r119 are still vulnerable on 64bit platforms.
http://blog.securitymouse.com/2014/07/the-lz4-two-hour-challenge.html
199f5f7There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moving from a function which, by API definition, is deprecated and only supports correctly formed input (LZ4_uncompress),
to a function which, by API definition, also supports malicious input scenarios (LZ4_decompress_safe)
seems a beneficial evolution for a library which will likely need to work with untrusted (external) input in the near future.
Note : Context information : secMouse spent his last few weeks at creating multiple "vulnerability PoC" using LZ4_uncompress.
If you have some elements to underline, you could, as countless developers did before, start by opening a new issue in the relevant public issue board and start a discussion there. You are singular in preferring to shout affirmations directly to the press and social medias without bothering to share your point with the relevant upstream organization.
199f5f7There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't seem helpful to me to have this argument here. Surely this is an argument about the LZ4 library that we are using here. We are now on the latest version r119. I'm not sure there's much more that this project can do to improve this situation.
If someone wants to make a suggestion I'm happy to hear it as a pull request, issue or on our HackerOne account: https://hackerone.com/
199f5f7There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.