All versions of the Lempel–Ziv–Oberhumer (LZO) algorithm for compression and decompression have been vulnerable to remote code execution and denial-of-service type of attacks for 20 years.
The flaw has been in existence for 20 years and is in all versions of the algorithm because every new implementation featured the core open-source code.
The fault lies in an integer overflow bug occurring when processing a Literal Run, a piece of data not actually compressed, said Don A. Bailey, founder and chief executive of Lab Mouse Security, who disclosed the technical details in a blog post.
Since its design by Markus Oberhumer back in 1994, the LZO algorithm gained popularity because of the efficient compression it provided, and today it sees wide usage in various devices and systems.
Among its uses is in the Linux kernel, Samsung implemented it in some Android phones and even NASA added it to the Mars Curiosity Rover (which means that LZO made it to Mars). However, it is also in projects such as OpenVPN, FFmpeg, Libav or MPlayer2.
To better understand how wide-spread the algorithm is, Oberhumer said “if you do have a car, a mobile telephone, a computer, a console, or have been to the hospital recently, there’s a good chance that you have been in contact with our embedded data compression technology.”
Since it is all over the place, the risk is big. However, because LZO has undergone numerous modifications to adapt to open or closed systems, researchers said a potential attacker would have to build custom malware for each implementation.
Also, even if the risk of a denial-of-service attack does exist, this is not possible in all versions. In the case of remote code execution there are platform and architecture restrictions that come into play before an attacker could deploy.
At the moment, all vendors should offer patched versions of the LZO, and users should update as soon as possible.
Bailey said finding out if a specific implementation is vulnerable consists in determining the maximum chunk size processed by the decompression routine. In an unaffected version, only buffers lower than 16MB can pass to the LZO or LZ4 decompress routine.
Bailey said all users of FFmpeg and Libav, along with all projects depending on them, should update their software because there is the possibility of remote code execution. Not using them is also one way to avoid the risk.