[Bug 1531923] Re: [MIR] lz4
Override component to main lz4 0.0~r131-1 in xenial: universe/misc -> main liblz4-1 0.0~r131-1 in xenial amd64: universe/libs/extra/100% -> main liblz4-1 0.0~r131-1 in xenial arm64: universe/libs/extra/100% -> main liblz4-1 0.0~r131-1 in xenial armhf: universe/libs/extra/100% -> main liblz4-1 0.0~r131-1 in xenial i386: universe/libs/extra/100% -> main liblz4-1 0.0~r131-1 in xenial powerpc: universe/libs/extra/100% -> main liblz4-1 0.0~r131-1 in xenial ppc64el: universe/libs/extra/100% -> main liblz4-1 0.0~r131-1 in xenial s390x: universe/libs/extra/100% -> main liblz4-1-dbg 0.0~r131-1 in xenial amd64: universe/debug/extra/100% -> main liblz4-1-dbg 0.0~r131-1 in xenial arm64: universe/debug/extra/100% -> main liblz4-1-dbg 0.0~r131-1 in xenial armhf: universe/debug/extra/100% -> main liblz4-1-dbg 0.0~r131-1 in xenial i386: universe/debug/extra/100% -> main liblz4-1-dbg 0.0~r131-1 in xenial powerpc: universe/debug/extra/100% -> main liblz4-1-dbg 0.0~r131-1 in xenial ppc64el: universe/debug/extra/100% -> main liblz4-1-dbg 0.0~r131-1 in xenial s390x: universe/debug/extra/100% -> main liblz4-dev 0.0~r131-1 in xenial amd64: universe/libdevel/extra/100% -> main liblz4-dev 0.0~r131-1 in xenial arm64: universe/libdevel/extra/100% -> main liblz4-dev 0.0~r131-1 in xenial armhf: universe/libdevel/extra/100% -> main liblz4-dev 0.0~r131-1 in xenial i386: universe/libdevel/extra/100% -> main liblz4-dev 0.0~r131-1 in xenial powerpc: universe/libdevel/extra/100% -> main liblz4-dev 0.0~r131-1 in xenial ppc64el: universe/libdevel/extra/100% -> main liblz4-dev 0.0~r131-1 in xenial s390x: universe/libdevel/extra/100% -> main liblz4-tool 0.0~r131-1 in xenial amd64: universe/utils/extra/100% -> main liblz4-tool 0.0~r131-1 in xenial arm64: universe/utils/extra/100% -> main liblz4-tool 0.0~r131-1 in xenial armhf: universe/utils/extra/100% -> main liblz4-tool 0.0~r131-1 in xenial i386: universe/utils/extra/100% -> main liblz4-tool 0.0~r131-1 in xenial powerpc: universe/utils/extra/100% -> main liblz4-tool 0.0~r131-1 in xenial ppc64el: universe/utils/extra/100% -> main liblz4-tool 0.0~r131-1 in xenial s390x: universe/utils/extra/100% -> main 29 publications overridden. ** Changed in: lz4 (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
Packaging looks good to me, has bug subscribers, runs comprehensive tests, in sync. Seems great! ** Changed in: lz4 (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
Hello, I reviewed lz4 version 0.0~r131-1 as checked into xenial. This shouldn't be considered a full security audit but rather a quick gauge of maintainability. - I found two CVEs, CVE-2014-4715 and CVE-2014-4611. One may be specific to the Linux kernel implementation of lz4 decompression; the other was an integer overflow issue with unusual architectures. While the reporting was poor and lead to very frustrated upstream, Yann moved to integrate a fuzzing process into the build alongside other extensive test suites. Builds spend far more time testing than building. - lz4 provides a very fast compression library and tool - Build-Depends: debhelper - Does not itself do networking, cryptography - Does not itself daemonize - No pre/post inst/rm - No init scripts - No dbus services - No setuids - No sudo fragments - No privieged portions of code - No udev rules - No cronjobs - New lz4 lz4c executables, unlz4 and unlz4cat symlinks - One lintian error: E: liblz4-1: postinst-must-call-ldconfig usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1 - Clean build logs - No subprocesses spawned - Memory management looked careful - Files written to are under control of callers - Logging looked careful - No environment variables used - No privileged operations - No networking - No cryptography - No privileged portions of code - No webkit - No tmp files - No PolicyKit - Clean cppcheck - Clean shellcheck lz4 is carefully coded; similar to most codecs or compression algorithms it's complicated code, but it has a good track record, responsive upstream, proactive attempts to find and prevent security issues, and the closest thing I found to a bug is a partially-implemented feature to allow changing the default suffix away from .lz4: - LZ4IO_compressMultipleFilenames() and LZ4IO_decompressMultipleFilenames() uses a hardcoded '+ 20' rather than + suffixSize + 1 + (optional slop space) - MAXSUFFIXSIZE appears unused - LZ4IO_decompressMultipleFilenames() hardcodes LZ4_EXTENSION length as '4' (via %4s format string) None of this is security-relevant or even user-facing. Security team ACK for promoting lz4 to main. Thanks ** Changed in: lz4 (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-4611 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2014-4715 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
The feature freeze is in 2 days. We need lz4 in main before that to have APT 1.2 to go in before that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
push -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: lz4 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
This also blocks the build of apt 1.2.1, so I am giving this thread a little nudge. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
OK, I'm switching to Seth for the security look-see, because I'm 90% sure that's what Jamie would do. :) ** Changed in: lz4 (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => Seth Arnold (seth-arnold) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
APT 1.2 is now in proposed, not to mention squashfs-tools (since October), so it would be really important to get lz4 into main ASAP. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
** Changed in: lz4 (Ubuntu) Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
** Description changed: [Availability] OK [Rationale] - needed for next APT release + needed for next APT release and to fix squashfs-tools depwait [Security] One CVE so far: http://www.cvedetails.com/product/28069/Yann-Collet-LZ4.html?vendor_id=13512 [Quality assurance] Small compression library, should be easy to handle. [Dependencies] Satisfiable [Standards compliance] seems ok [Maintenance] Actively maintained in debian, also used by zfs and squashfs. [Background information] APT master has just landed support for lz4 compression using liblz4. As such, we need liblz4-1 and -dev promoted to main for the next APT release. I'm posting this ahead of the APT release so we can get this change reviewed in advance. + + Also, squashfs-tools is currently in depwait on liblz4-dev. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
** Description changed: [Availability] OK [Rationale] needed for next APT release and to fix squashfs-tools depwait [Security] One CVE so far: http://www.cvedetails.com/product/28069/Yann-Collet-LZ4.html?vendor_id=13512 [Quality assurance] Small compression library, should be easy to handle. No bugs in Debian, except for a packaging wish: https://bugs.debian.org /cgi-bin/pkgreport.cgi?src=lz4;dist=unstable Upstream bugs seem OK, mostly wishes and used as a TODO list: https://github.com/Cyan4973/lz4/issues (some small issues in the lz4 tool in liblz4-tool, but nothing really important). [Dependencies] Satisfiable [Standards compliance] seems ok [Maintenance] Actively maintained in debian, also used by zfs and squashfs. + Foundations is now subscribed to bugs for the package. + [Background information] APT master has just landed support for lz4 compression using liblz4. As such, we need liblz4-1 and -dev promoted to main for the next APT release. I'm posting this ahead of the APT release so we can get this change reviewed in advance. Also, squashfs-tools is currently in depwait on liblz4-dev. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
** Description changed: [Availability] OK [Rationale] needed for next APT release and to fix squashfs-tools depwait [Security] One CVE so far: http://www.cvedetails.com/product/28069/Yann-Collet-LZ4.html?vendor_id=13512 [Quality assurance] Small compression library, should be easy to handle. + + No bugs in Debian, except for a packaging wish: https://bugs.debian.org + /cgi-bin/pkgreport.cgi?src=lz4;dist=unstable + + Upstream bugs seem OK, mostly wishes and used as a TODO list: + https://github.com/Cyan4973/lz4/issues + (some small issues in the lz4 tool in liblz4-tool, but nothing really important). [Dependencies] Satisfiable [Standards compliance] seems ok [Maintenance] Actively maintained in debian, also used by zfs and squashfs. [Background information] APT master has just landed support for lz4 compression using liblz4. As such, we need liblz4-1 and -dev promoted to main for the next APT release. I'm posting this ahead of the APT release so we can get this change reviewed in advance. Also, squashfs-tools is currently in depwait on liblz4-dev. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1531923] Re: [MIR] lz4
** Description changed: [Availability] OK [Rationale] needed for next APT release [Security] ? [Quality assurance] Small compression library, should be easy to handle. [Dependencies] Satisfiable [Standards compliance] seems ok [Maintenance] - ? + Actively maintained in debian, also used by zfs and squashfs. [Background information] APT master has just landed support for lz4 compression using liblz4. As such, we need liblz4-1 and -dev promoted to main for the next APT release. I'm posting this ahead of the APT release so we can get this change reviewed in advance. ** Description changed: [Availability] OK [Rationale] needed for next APT release [Security] - ? + One CVE so far: http://www.cvedetails.com/product/28069/Yann-Collet-LZ4.html?vendor_id=13512 [Quality assurance] Small compression library, should be easy to handle. [Dependencies] Satisfiable [Standards compliance] seems ok [Maintenance] Actively maintained in debian, also used by zfs and squashfs. [Background information] APT master has just landed support for lz4 compression using liblz4. As such, we need liblz4-1 and -dev promoted to main for the next APT release. I'm posting this ahead of the APT release so we can get this change reviewed in advance. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1531923 Title: [MIR] lz4 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lz4/+bug/1531923/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs