A recent *"Lab Mouse Security research blog" entry* <http://blog.securitymouse.com/2014/06/raising-lazarus-20-year-old-bug-that.html> claimed that a bug exists in several implementations of the LZO algorithm commonly used by OpenVPN and that the bug causes a security vulnerability.
A rebuttal on the "RealTime Data Compression" blog <http://fastcompression.blogspot.co.uk/2014/06/lets-move-on.html> points out that the circumstances required to exploit the vulnerability make exploitation unlikely. Among other requirements, the rebuttal says that a problem only happens with block sizes larger than 8MB. Am I correct to assume that OpenVPN's use of LZO is restricted to much smaller block sizes? I assume the block sizes that OpenVPN uses LZO for are limited to the maximum packet size, which would be on the order of 1500 bytes or so (because of MTU size limits). Or does OpenVPN ever use LZO on larger amounts of data? Is there any possibility of OpenVPN using LZO on 8MB? * Also see the discussion on the LZ4 discussion board <https://code.google.com/p/lz4/issues/detail?id=52>; the vulnerability was actually discovered by Ludvig Strigeus <https://en.wikipedia.org/wiki/Ludvig_Strigeus> eighteen months ago.
