Security
Evaluating the LZO integer-overflow bug
In June, a security researcher disclosed an integer-overflow bug in the Lempel–Ziv–Oberhumer (LZO) compression algorithm—a bug that has persisted in the wild for roughly two decades, and is reproduced in multiple LZO implementations as well as in the related LZ4 algorithm. LZ4's author then accused the researcher of irresponsible disclosure and of over-hyping the issue for the sake of publicity. The two have subsequently argued back and forth about the proper assessment of the bug's severity, but wherever history eventually comes down on that particular question, the case holds lessons on a number of fronts for software developers.
Don A. Bailey published a June 26 blog post explaining the bug, which he had discovered during a code audit. In essence, Markus Oberhumer's original LZO code included a simple integer overflow in the code block that handles uncompressed "Literal Runs" in a compressed LZO file. The overflowed variable is later used as a size parameter, which an attacker can use to overflow a pointer and potentially gain access to a protected area of system memory. Importantly, as Bailey sees it, the original LZO reference code has essentially been copied verbatim into a wide variety of later LZO implementations, including OpenVPN, MPlayer2, Libav, FFmpeg, Btrfs, squashfs, Android systems, and the Linux kernel. Furthermore, the LZ4 algorithm developed by Yann Collet also reuses Oberhumer's reference code (including the bug), and LZ4 is also used in a variety of places, including the ZFS filesystem.
Bailey's original post not only described the bug in detail, but it went on to offer an assessment of the severity of the bug for real-world attacks. The Libav and FFmpeg versions of LZO are susceptible to remote code execution, he said, as are LZ4 implementations (although in the LZ4 case, such exploits are only practical on 32-bit architectures). On the other hand, denial-of-service attacks—while arguably less serious—are plausible on all LZO and LZ4 implementations. All of the possible attacks rely on specially crafted data payloads.
Collet fired back with a blog
post of his own, the same day, calling Bailey's post
" What followed was an at times heated back-and-forth between the
two, both about the severity of the bug and about how it was
disclosed. Collet noted that the underlying issue had been reported
by someone else more than a year earlier and was deemed low-priority,
mostly because the hypothetical
attack would require that LZ4 be called with blocks of extremely large
size (8MB or larger) and because a 64-bit system would require an
implausibly large amount of memory to overflow the buffer.
Bailey contended that there are plenty of 32-bit systems in the wild
today (including most ARM devices) and that disinterest in future-proofing
64-bit implementations was short-sighted.
On July 1, Bailey posted
a follow-up showing that LZ4 could be exploited with 2.47 MB of data.
Collet again accused
Bailey of irresponsible disclosure for publishing this follow-up
without notifying the LZ4 project privately ahead of time.
As a practical matter, an update for LZ4 that fixes all of the
issues cited by Bailey is already available, r119.
The LZO
reference implementation has also been updated with a fix, in
version 2.08. Fixes have also been published for the affected
downstream projects.
Assessing the real-world severity of the bug is, to a
large degree, a matter on which reasonable people may never fully
agree. It certainly requires separating the issue from Collet and
Bailey's argument over disclosure practices—an argument that is
not technical in nature. Bailey has written two posts that describe
real-world attacks against LZ4 in the wild; one
hinges on the fact that, while "real" users might never use LZ4 with
exceptionally large block sizes, higher-level libraries often pass
data down to algorithms like LZ4 without doing sanity checks. The second
shows Bailey exploiting Firefox 30.0's video-playback code.
Lost in all of the debate about how plausible an attack is against
LZ4, though, is a separate point raised in Bailey's original blog post.
Oberhumer's reference code for LZO is the original source of the
integer overflow, and because that reference code is believed to be
highly optimized for decompression speed (which is, after all, one of
LZO's key selling points), many developers copied it—flaws and
all—into their own projects. Algorithms, Bailey said, become
treated like " The potential harm of a long-standing bug or even a back-door
in reference code is therefore magnified. Where the subject matter is
regarded as highly specialized, things become even trickier. One can
see echoes of this concern in the recent "too few independent
implementations" issue that was cited
as an objection to including Daniel J. Bernstein's
Curve25519 cryptographic function in the W3C WebCrypto API. The odds may
not be particularly high that Bernstein's code contains an exploitable
bug, but the fact that so many developers implicitly trust its
correctness is a cause for caution.
And cryptography is far from the only subject matter where
widespread code reuse is commonplace. It is frequently found where
low-level and highly-optimized functions are required. For example,
virtually all—if not literally all—free-software raw photo
software is built on top of Dave Coffin's
dcraw decoder,
which is released as ANSI C code typically copied into downstream projects.
However difficult it may be to craft a real-world exploit for LZO
or LZ4, a key lesson is that the bug was replicated to a variety of
downstream projects in part because the original reference code was
not subjected to sufficient scrutiny sooner. A code audit did
eventually uncover the flaw, but had that audit taken place years
earlier, there would likely be far less outcry over the issue today.
totally irresponsible
" and an attempt "to create
a flashy headline
" by claiming that the bug is far more serious
that it actually is. In reality, Collet said, the conditions required
to exploit the bug in LZ4 are so peculiar that there is "no
real-world risk
", and that none of the known LZ4
implementations can be targeted. On June 28, Collet retracted
some of his criticisms of Bailey's disclosure methodology but
continued to argue that no known program met the conditions required
to exploit the bug.
blessed
" code, with other developers
assuming their correctness and not giving them the same level of
scrutiny that they might to other third-party work.
Brief items
Security quotes of the week
People's right to suppress unpleasant lies which are publicly told is being extended to unpleasant truths – until they die when it's suddenly open season on slander. The internet will become constructed entirely of two different sorts of untruth: contemporaneous unalloyed praise and posthumous defamatory hearsay.
Schneier: NSA Targets Privacy Conscious for Surveillance
Bruce Schneier has a good summary of recently reported information about the US National Security Agency (NSA) targeting of users searching for or reading information about Tor and The Amnesic Incognito Live System (Tails), which certainly could include readers of this site. "Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users -- and people who just visit the websites of -- Tor, Tails, and other sites. This isn't just metadata; this is "full take" content that's stored forever. [...] It's hard to tell how extensive this is. It's possible that anyone who clicked on this link -- with the embedded torproject.org URL above -- is currently being monitored by the NSA. It's possible that this only will happen to people who receive the link in e-mail, which will mean every Crypto-Gram subscriber in a couple of weeks. And I don't know what else the NSA harvests about people who it selects in this manner. Whatever the case, this is very disturbing." Also see reports in Linux Journal (which was specifically noted in the XKeyscore rules) and Boing Boing.
OpenSSL speeds up development to avoid being “slow-moving and insular” (Ars Technica)
Ars Technica reports on the OpenSSL project's new roadmap that describes a number of problems with the project and its code along with plans to address them. "The project has numerous problems, the roadmap says. These include a backlog of bug reports, incomplete and incorrect documentation, code complexity that causes maintenance problems, inconsistent coding style, a lack of code review, and having no clear release plan, platform strategy, or security strategy. The plan is to fix all these problems. For example, bug reports should receive 'an initial response within four working days.' That goal can be met now, the roadmap says, but others will take longer. Defining a clear coding standard for the project is expected to take about three months. 'Review[ing] and revis[ing] the public API with a view to reducing complexity' will take about a year."
The CHERI capability model: Revisiting RISC in an age of risk (Light Blue Touchpaper)
Over at the Light Blue Touchpaper blog, there is a summary of a paper [PDF] presented in late June at the 2014 International Symposium on Computer Architecture about Capability Hardware Enhanced RISC Instructions (CHERI). "CHERI is an instruction-set extension, prototyped via an FPGA-based soft processor core named BERI, that integrates a capability-system model with a conventional memory-management unit (MMU)-based pipeline. Unlike conventional OS-facing MMU-based protection, the CHERI protection and security models are aimed at compilers and applications. CHERI provides efficient, robust, compiler-driven, hardware-supported, and fine-grained memory protection and software compartmentalisation (sandboxing) within, rather than between, addresses spaces. We run a version of FreeBSD that has been adapted to support the hardware capability model (CheriBSD) compiled with a CHERI-aware Clang/LLVM that supports C pointer integrity, bounds checking, and capability-based protection and delegation. CheriBSD also supports a higher-level hardware-software security model permitting sandboxing of application components within an address space based on capabilities and a Call/Return mechanism supporting mutual distrust."
Garrett: Self-signing custom Android ROMs
Matthew Garrett explains how to get an Android device to refuse to boot an operating system that has not been signed by the device's owner. "It's annoying and involves a bunch of manual processes and you'll need to re-sign every update yourself. But it is possible to configure Nexus devices in such a way that you retain the same level of security you had when you were using the Google keys without losing the freedom to run whatever you want."
New vulnerabilities
apt-cacher-ng: cross-site scripting
| Package(s): | apt-cacher-ng | CVE #(s): | CVE-2014-4510 | ||||
| Created: | July 4, 2014 | Updated: | July 9, 2014 | ||||
| Description: | From the Red Hat bugzilla entry:
As noted in this report to oss-security, a flaw exists in the apt-cacher-ng server, and an inside attacker (on the LAN with knowledge of the server's address), could trick a user into visiting, or redirect them to, a manipulated URL that would cause the cross-site scripting attack. | ||||||
| Alerts: |
| ||||||
cacti: cross-site scripting
| Package(s): | cacti | CVE #(s): | CVE-2014-4002 | ||||||||||||||||||||
| Created: | July 8, 2014 | Updated: | July 9, 2014 | ||||||||||||||||||||
| Description: | From the CVE entry:
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote attackers to inject arbitrary web script or HTML via the (1) drp_action parameter to cdef.php, (2) data_input.php, (3) data_queries.php, (4) data_sources.php, (5) data_templates.php, (6) graph_templates.php, (7) graphs.php, (8) host.php, or (9) host_templates.php or the (10) graph_template_input_id or (11) graph_template_id parameter to graph_templates_inputs.php. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
cumin: two vulnerabilities
| Package(s): | cumin | CVE #(s): | CVE-2012-2682 CVE-2014-0174 | ||||||||
| Created: | July 9, 2014 | Updated: | July 9, 2014 | ||||||||
| Description: | From the Red Hat advisory:
It was found that if Cumin were asked to display a link name containing non-ASCII characters, the request would terminate with an error. If data containing non-ASCII characters were added to the database (such as via Cumin or Wallaby), requests to load said data would terminate and the requested page would not be displayed until an administrator cleans the database. (CVE-2012-2682) It was found that Cumin did not set the HttpOnly flag on session cookies. This could allow a malicious script to access the session cookie. (CVE-2014-0174) | ||||||||||
| Alerts: |
| ||||||||||
dbus: two denial of service flaws
| Package(s): | dbus | CVE #(s): | CVE-2014-3532 CVE-2014-3533 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 3, 2014 | Updated: | December 22, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
CVE-2014-3532: Alban Crequy at Collabora Ltd. discovered a bug in dbus-daemon's support for file descriptor passing. A malicious process could force system services or user applications to be disconnected from the D-Bus system by sending them a message containing a file descriptor, leading to a denial of service. CVE-2014-3533: Alban Crequy at Collabora Ltd. and Alejandro Martinez Suarez discovered that a malicious process could force services to be disconnected from the D-Bus system by causing dbus-daemon to attempt to forward invalid file descriptors to a victim process, leading to a denial of service. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ffmpeg: multiple vulnerabilities
| Package(s): | ffmpeg | CVE #(s): | CVE-2014-2097 CVE-2014-2098 CVE-2014-2099 CVE-2014-2263 CVE-2014-4610 | ||||||||||||||||||||
| Created: | July 7, 2014 | Updated: | July 9, 2014 | ||||||||||||||||||||
| Description: | From the Mageia advisory:
The tak_decode_frame function in libavcodec/takdec.c in FFmpeg before 2.0.4 does not properly validate a certain bits-per-sample value, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted TAK (aka Tom's lossless Audio Kompressor) data (CVE-2014-2097). libavcodec/wmalosslessdec.c in FFmpeg before 2.0.4 uses an incorrect data-structure size for certain coefficients, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted WMA data (CVE-2014-2098). The msrle_decode_frame function in libavcodec/msrle.c in FFmpeg before 2.0.4 does not properly calculate line sizes, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Microsoft RLE video data (CVE-2014-2099). The mpegts_write_pmt function in the MPEG2 transport stream (aka DVB) muxer (libavformat/mpegtsenc.c) in FFmpeg before 2.0.4 allows remote attackers to have unspecified impact and vectors, which trigger an out-of-bounds write (CVE-2014-2263). An integer overflow in LZO decompression in FFmpeg before 2.0.5 allows remote attackers to have an unspecified impact by embedding compressed data in a video file (CVE-2014-4610). | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
file: denial of service
| Package(s): | file | CVE #(s): | CVE-2014-3538 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 7, 2014 | Updated: | September 11, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel: privilege escalation
| Package(s): | kernel | CVE #(s): | CVE-2014-4699 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 7, 2014 | Updated: | August 11, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian advisory:
Andy Lutomirski discovered that the ptrace syscall was not verifying the RIP register to be valid in the ptrace API on x86_64 processors. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
lzo: denial of service/possible code execution
| Package(s): | lzo | CVE #(s): | CVE-2014-4607 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 3, 2014 | Updated: | January 2, 2017 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry:
An integer overflow may occur when processing any variant of a "literal run" in the lzo1x_decompress_safe function. Each of these three locations is subject to an integer overflow when processing zero bytes. This exposes the code that copies literals to memory corruption. It should be noted that if the target is 64bit liblzo2, the overflow is still possible, but impractical. An overflow would require so much input data that an attack would be infeasible even in modern computers. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
mediawiki: prevent external resources in SVG files
| Package(s): | mediawiki | CVE #(s): | |||||||||
| Created: | July 7, 2014 | Updated: | July 11, 2014 | ||||||||
| Description: | From the MediaWiki announcement:
Prevent external resources in SVG files. | ||||||||||
| Alerts: |
| ||||||||||
openstack-ceilometer: information leak
| Package(s): | openstack-ceilometer | CVE #(s): | CVE-2014-4615 | ||||||||||||||||||||||||
| Created: | July 8, 2014 | Updated: | August 13, 2014 | ||||||||||||||||||||||||
| Description: | From the Fedora advisory:
Fix tokens leaking to message queue | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
owncloud: undisclosed vulnerability
| Package(s): | owncloud | CVE #(s): | |||||||||||||
| Created: | July 9, 2014 | Updated: | July 30, 2014 | ||||||||||||
| Description: | From the owncloud changelog:
Release "6.0.4" Fixed a security issue (Will be disclosed two weeks after this release) | ||||||||||||||
| Alerts: |
| ||||||||||||||
php: information disclosure
| Package(s): | php5 | CVE #(s): | CVE-2014-4721 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 9, 2014 | Updated: | July 31, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the CVE entry:
The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a "type confusion" vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
phpmyadmin: cross-site scripting
| Package(s): | phpmyadmin | CVE #(s): | CVE-2014-4348 | ||||||||||||
| Created: | July 9, 2014 | Updated: | July 30, 2014 | ||||||||||||
| Description: | From the CVE entry:
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.2.x before 4.2.4 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name that is improperly handled after presence in (a) the favorite list or (b) recent tables. | ||||||||||||||
| Alerts: |
| ||||||||||||||
python: script execution
| Package(s): | python | CVE #(s): | CVE-2014-4650 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 9, 2014 | Updated: | November 24, 2014 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mageia advisory:
The CGIHTTPServer Python module does not properly handle URL-encoded path separators in URLs. This may enable attackers to disclose a CGI script's source code or execute arbitrary scripts in the server's document root. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
python-django-evolution: incompatible versions
| Package(s): | python-django-evolution | CVE #(s): | |||||||||||||||||
| Created: | July 9, 2014 | Updated: | July 9, 2014 | ||||||||||||||||
| Description: | From the Red Hat bugzilla:
Review Board 1.7.x is only compatible with django_evolution 0.6.x, but I accidentally pushed django_evolution 0.7.1 to stable in Fedora 19 and 20. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
vlc: code execution
| Package(s): | vlc | CVE #(s): | CVE-2013-1868 CVE-2013-1954 CVE-2013-4388 | ||||||||||||
| Created: | July 8, 2014 | Updated: | July 28, 2014 | ||||||||||||
| Description: | From the CVE entries:
Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and earlier allow remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to the (1) freetype renderer and (2) HTML subtitle parser. (CVE-2013-1868) The ASF Demuxer (modules/demux/asf/asf.c) in VideoLAN VLC media player 2.0.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted ASF movie that triggers an out-of-bounds read. (CVE-2013-1954) Buffer overflow in the mp4a packetizer (modules/packetizer/mpeg4audio.c) in VideoLAN VLC Media Player before 2.0.8 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. (CVE-2013-4388) | ||||||||||||||
| Alerts: |
| ||||||||||||||
xen: information leak
| Package(s): | xen | CVE #(s): | CVE-2014-4021 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 4, 2014 | Updated: | July 9, 2014 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Red Hat bugzilla entry:
While memory pages recovered from dying guests are being cleaned to avoid leaking sensitive information to other guests, memory pages that were in use by the hypervisor and are eligible to be allocated to guests weren't being properly cleaned. Such exposure of information would happen through memory pages freshly allocated to or by the guest. A malicious guest might be able to read data relating to other guests or the hypervisor itself. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jake Edge
Next page:
Kernel development>>