|
|
Subscribe / Log in / New account

zlib all over again?

zlib all over again?

Posted Jun 27, 2014 0:18 UTC (Fri) by cesarb (subscriber, #6266)
Parent article: Decades-Old Vulnerability Threatens 'Internet Of Things' (Dark Reading)

The zlib bugs had a lot of impact because of how pervasive it was. Looks like the same thing is going to happen with LZO.

to post comments

zlib all over again?

Posted Jun 27, 2014 1:24 UTC (Fri) by PaXTeam (guest, #24616) [Link] (10 responses)

or maybe not

zlib all over again?

Posted Jun 27, 2014 6:59 UTC (Fri) by nmav (guest, #34036) [Link] (5 responses)

Thanks for posting that. My experience with bugs reported due to that issue was the same as the article describes. As this algorithm is used for stateless compression, blocks of 16mb+ that the attack requires are highly unlikely to be allowed by software.

zlib all over again?

Posted Jun 27, 2014 16:25 UTC (Fri) by Wol (subscriber, #4433) [Link] (4 responses)

Hmmm ...

Just to point out, my 24MP DSLR chucks out files up to 32Mb in size ...

But does "block size" refer to the entire file, or is it broken down into chunks for compression? Probably the latter.

Either way, I would have thought most of the "internet of things" wouldn't have a lot of memory, to even have 16Mb chunks. It's hard to tell, but I got the impression that most embedded devices have - what would seem to us people used to PCs - an incredibly tiny amount of ram.

Cheers,
Wol

zlib all over again?

Posted Jun 28, 2014 4:11 UTC (Sat) by proski (subscriber, #104) [Link] (3 responses)

What matters is whether the camera would accept large blocks when showing images from the memory. The bug is in decompression.

Just a thought - exploiting a compression bug in a camera would require making a malicious image in the real world and taking its picture. That would be exteremely hard to accomplish.

zlib all over again?

Posted Jun 29, 2014 19:59 UTC (Sun) by rgmoore (✭ supporter ✭, #75) [Link] (1 responses)

Just a thought - exploiting a compression bug in a camera would require making a malicious image in the real world and taking its picture.

Which still wouldn't work, because real-world cameras have measurable noise in the least significant digits of their images. If you somehow created an image that could theoretically cause problems, the noise would probably throw everything off.

zlib all over again?

Posted Jun 30, 2014 8:16 UTC (Mon) by BlueLightning (subscriber, #38978) [Link]

Even so, it's conceivable (though unlikely) that you could trigger a bug in some built-in image recognition code, such as facial recognition, or perhaps code to detect duplicating currency.

zlib all over again?

Posted Jun 29, 2014 21:39 UTC (Sun) by dvdeug (guest, #10998) [Link]

On Bones, a hacker not only exploited a computer via an image carved on bone, he caused it to catch fire. I head-desked.

zlib all over again?

Posted Jun 27, 2014 22:22 UTC (Fri) by PaXTeam (guest, #24616) [Link] (3 responses)

and the empire strikes back, sort of ;)

zlib all over again?

Posted Jun 29, 2014 16:04 UTC (Sun) by Huchev (guest, #92991) [Link] (2 responses)

Yeah, sort of.
The article just claims that the vulnerability exists, which was *never disputed*. It's a rhetorical attempt at being right by association : if he's right for the existence of the vulnerability, he must be right for its gravity ?

But no, that's where the core of the problem is.
Both Oberhummer & Collet state that the vulnerability existed and is fixed, but could never be exploited in currently known software. In contrast, Bailey produces a summary table pretending the vulnerability is "practical for RCE attacks". In a word, "heartbleed" like. Practical really ? With no implementation known to be exploitable ? That's a curious definition of "practical".

This is all scare mongering strategy. The objective is to create big headlines, ensuring the majority of the press won't get into the little boring technical details and will simply forward the scary-looking headline to maximize clicks.
This is really lame, especially from the security firm which deliberately triggered this hype-reporting process.

zlib all over again?

Posted Jun 29, 2014 16:42 UTC (Sun) by PaXTeam (guest, #24616) [Link] (1 responses)

there was surely too much hype around these bugs but you've managed to overdo the de-hyping. most importantly, noone can claim (and noone has) that these bugs "could never be exploited in currently known software". this is because the exploitability depends on how a given piece of software uses the LZ* code (it's a library, remember) and nobody knows all the users out there. it's great that the ones found by a quick grep in the debian package repo did not prove to be exploitable in practice but that doesn't diminish the importance for all the other users who should double check *their* use of the LZ* code. that is what the important message should have been in this circus but as your post proves it, it apparently got lost in the noise. it's a sad state of affairs for all sides.

zlib all over again?

Posted Jul 9, 2014 22:04 UTC (Wed) by nix (subscriber, #2304) [Link]

Quite. I saw one thing saying that an unspecified Mars lander (Curiosity?) ran the vulnerable lzo version and could be at risk. From whom? Martians, who would have physical access if they existed? Another major world power with a deep space tracking network that wants to break Curiosity?

(Yeah, right. Threat model, guys: you don't have one.)


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds