FixNix Blog

20-YEAR OLD VULNERABILITY PATCHED IN LZO COMPRESSION ALGORITHM

Jul 7, 2014 5:57:19 AM / by Shanmugavel Sankaran

A 20-year old vulnerability in the Lempel-Ziv-Oberhumer (LZO) compression algorithm – used in some Android phones, the Linux kernel, and even Mars Rovers – was finally patched this week.

Code stemming from the algorithm’s library function has existed in the wild for two decades, but was recycled over and over again, which made it tricky to patch.

Version 2.07 of the algorithm fixes the longstanding issue – a subtle integer overflow condition in the “safe” decompressor variants that could have led to a buffer overrun if the algorithm processed any malicious input data.

Lab Mouse Security CEO and Founder Don Bailey discussed the details regarding the long-awaited patch:
“By reusing code that is known to work well, especially in highly optimized algorithms, projects can become subject to vulnerabilities in what is perceived as trusted code,” Bailey explained

Bailey, who regularly conducts research in the fields of mobile technology, the Internet of Things, and embedded systems, went on to warn that while implementations of LZO are noticeably different, each “variant is vulnerable in the exact same way.” Bailey urges end users who oversee the algorithm to evaluate each implementation for risk, even if it’s already been patched.

If left unpatched, the bug can be exploited whenever the algorithm processes a Literal Run, a chunk of data that hasn’t been compressed.

Bailey gives a series of in depth security solutions that administrators can follow to first, determine if their infrastructure is vulnerable to the flaw and second, how to patch it.

LZO is a portable lossless data compression library that allows for overlapping compression and in-place decompression. Over the years, the algorithm has found its way, one way or another, into a handful of projects such as Android, OpenVPN, MPlayer2, Libav, the Linux kernel and Juniper’s Junos, among other entities.

The algorithm’s crowing achievement to date may be its implementation in NASA’s Mars Curiosity Rover. The robotic rover just completed its first Martian year, 687 Earth days, on Mars earlier this week and like rovers before it, Spirit and Opportunity, has micro controllers on board that use LZO.

Topics: LZO COMPRESSION ALGORITHM, MARS rover, 20-YEAR OLD VULNERABILITY, Android, Blog

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

see all

Recent Posts