lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 10 Jan 2017 11:00:32 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Sven Schmidt <4sschmid@...ormatik.uni-hamburg.de>
Cc:     akpm@...ux-foundation.org, bongkyu.kim@....com,
        rsalvaterra@...il.com, sergey.senozhatsky@...il.com,
        linux-kernel@...r.kernel.org, herbert@...dor.apana.org.au,
        davem@...emloft.net, linux-crypto@...r.kernel.org,
        anton@...msg.org, ccross@...roid.com, keescook@...omium.org,
        tony.luck@...el.com, phillip@...ashfs.org.uk
Subject: Re: [PATCH v2 1/4] lib: Update LZ4 compressor module based on LZ4
 v1.7.2.

On Tue, Jan 10, 2017 at 10:21:16AM +0100, Sven Schmidt wrote:
> On 01/08/2017 12:25 PM, Greg KH wrote:
> >On Sat, Jan 07, 2017 at 05:55:42PM +0100, Sven Schmidt wrote:
> >> This patch updates LZ4 kernel module to LZ4 v1.7.2 by Yann Collet.
> >> The kernel module is inspired by the previous work by Chanho Min.
> >> The updated LZ4 module will not break existing code since there were alias
> >> methods added to ensure backwards compatibility.
> >
> > Meta-comment.  Does this update include all of the security fixes that
> > we have made over the past few years to the lz4 code?  I don't want to
> > be adding back insecure functions that will cause us problems.
> >
> > Specifically look at the changes I made in 2014 in this directory for an
> > example of what I am talking about here.
> >
> 
> Hi Greg,
> 
> it doesn't. I didn't have that in mind until now.

Ick, those changes never got made "upstream"?  Not good, but makes sense
as we couldn't really find an "upstream" when we made them :(

As you took this code from somewhere, you might want to also push your
changes for these issues there as well, so that others don't run into
them in the future.

thanks,

greg k-h

Powered by blists - more mailing lists