A 20-year old vulnerability in the Lempel-Ziv-Oberhumer (LZO) compression algorithm – used in some Android phones, the Linux kernel, and even Mars Rovers – was finally patched this week.
Code stemming from the algorithm’s library function has existed in the wild for two decades, but was recycled over and over again, which made it tricky to patch.
While the algorithm has been tweaked over the years, each iteration has featured the same core open source implementation, first written by Markus Oberhumer in 1994.
Version 2.07 of the algorithm fixes the longstanding issue – a subtle integer overflow condition in the “safe” decompressor variants that could have led to a buffer overrun if the algorithm processed any malicious input data.
Lab Mouse Security CEO and Founder Don Bailey discussed the details regarding the long-awaited patch in a blog entry Thursday.
“By reusing code that is known to work well, especially in highly optimized algorithms, projects can become subject to vulnerabilities in what is perceived as trusted code,” Bailey explained
Bailey, who regularly conducts research in the fields of mobile technology, the Internet of Things, and embedded systems, went on to warn that while implementations of LZO are noticeably different, each “variant is vulnerable in the exact same way.” Bailey urges end users who oversee the algorithm to evaluate each implementation for risk, even if it’s already been patched.
If left unpatched, the bug can be exploited whenever the algorithm processes a Literal Run, a chunk of data that hasn’t been compressed.
Bailey gives a series of in depth security solutions that administrators can follow to first, determine if their infrastructure is vulnerable to the flaw and second, how to patch it.
LZO is a portable lossless data compression library that allows for overlapping compression and in-place decompression. Over the years, the algorithm has found its way, one way or another, into a handful of projects such as Android, OpenVPN, MPlayer2, Libav, the Linux kernel and Juniper’s Junos, among other entities.
The algorithm’s crowing achievement to date may be its implementation in NASA’s Mars Curiosity Rover. The robotic rover just completed its first Martian year, 687 Earth days, on Mars earlier this week and like rovers before it, Spirit and Opportunity, has micro controllers on board that use LZO.