Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
(Sun Issues Preliminary T-patches) Re: 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code
|
Date: Apr 1 2002
|
Impact: Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.1.3
|
Description: A vulnerability was reported in the zlib shared library, a widely used library that provides in-memory compress and decompression
functions. A remote user could cause programs using this library to crash or to execute arbitrary code on the system.
It is reported that certain types of input will cause zlib to free the same area of memory twice (i.e., perform a "double free"),
resulting in a buffer overflow condition when expanding compressed input. A remote user can cause programs that process untrusted
user-supplied compressed input to crash or potentially execute arbitrary code on the system.
It is reported that web browsers
or email programs that display image attachments or other programs that uncompress data may be particularly affected.
It is reported
that Matthias Clasen <maclas@gmx.de> and Owen Taylor <otaylor@redhat.com> discovered this bug.
|
Impact: A remote user can cause affected programs that use zlib to process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.
|
Solution: Sun has issued a preliminary fix and has indicated that a final solution is pending.
Preliminary T-patches are available for the
following releases from:
http://sunsolve.sun.com/tpatches
SPARC
Open Windows 3.6.1 (for Solaris 7) T-patch
T108376-37.tar.Z
Open Windows 3.6.2 (for Solaris 8) T-patch T108652-51.tar.Z
Solaris 8 T-patch T112611-01.tar.Z
Intel
Open Windows 3.6.1 (for Solaris 7) T-patch T108377-33.tar.Z
Open Windows 3.6.2 (for Solaris 8) T-patch T108653-41.tar.Z
Solaris 8 T-patch T112612-01.tar.Z
Sun has also issued the following disclaimer:
"This document refers to one or more
preliminary temporary patches (T-patches) which are designed to address the concerns identified herein. Sun has limited experience
with these patches due to their preliminary nature. Sun may release full patches at a later date, however, Sun is under no obligation
whatsoever to create, release, or distribute any such patches."
|
Vendor URL: www.gzip.org/zlib/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (Solaris - SunOS)
|
Underlying OS Comments: Solaris 8
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 01 Apr 2002 01:10:00 -0500
Subject: Security issue with zlib (libz(3)) in Solaris and OpenWindows
|
DOCUMENT ID: 43541
SYNOPSIS: Security issue with zlib (libz(3)) in Solaris and OpenWindows
DETAIL DESCRIPTION:
Sun(sm) Alert Notification
Sun Alert ID: 43541
Synopsis: Security issue with zlib (libz(3)) in Solaris and
OpenWindows
Category: Security
Product: Solaris, OpenWindows
BugIDs: 4644966, 4644859
Avoidance: Workaround, T-Patch
State: Committed
Date Released: 28-Mar-2002
Date Closed:
Date Modified:
1. Impact
Depending upon how and where the zlib routines are called from an
application which links with zlib, the resulting vulnerability may
result in a denial of service, information leakage, or execution of
arbitrary code.
A large number of free applications and libraries have been identified
as using zlib at http://www.gzip.org/zlib/apps.html. Some of this
freeware is shipped on the Solaris 8 Software Companion CD.
This issue is described in the CERT Vulnerability VU#368819 (see
http://www.kb.cert.org/vuls/id/368819) which is referenced in CA-2002-07
(see http://www.cert.org/advisories/CA-2002-07.html).
2. Contributing Factors
This issue can occur in the following releases:
SPARC
Open Windows 3.6.1 (for Solaris 7) with the following patches:
107648-02 through 107648-09
or
107078-19
or
108376-01 through 108376-36
Open Windows 3.6.2 (for Solaris 8)
Solaris 8
Intel
Open Windows 3.6.1 (for Solaris 7) with the following patches:
107649-02 through 107649-09
or
107079-18
or
108377-01 through 108377-32
Open Windows 3.6.2 (for Solaris 8)
Solaris 8
Notes: The vulnerable OpenWindows library (libz) was introduced into
OpenWindows 3.6.1 in the feature patches listed above.
Prior to installing the feature patch, OpenWindows 3.6.1 was not
vulnerable.
Solaris 7 and earlier are not vulnerable to this issue as the Solaris
libz library was not shipped in Solaris 7 and earlier.
3. Symptoms
An application which links with zlib may be able to be killed when
handling untrusted zipped input. There are no reliable symptoms to show
arbitrary code has been inserted into a running program linked with zlib
and executed.
SOLUTION SUMMARY:
4. Relief/Workaround
Preliminary T-patches are available for the following releases from:
http://sunsolve.sun.com/tpatches
SPARC
Open Windows 3.6.1 (for Solaris 7) T-patch T108376-37.tar.Z
Open Windows 3.6.2 (for Solaris 8) T-patch T108652-51.tar.Z
Solaris 8 T-patch T112611-01.tar.Z
Intel
Open Windows 3.6.1 (for Solaris 7) T-patch T108377-33.tar.Z
Open Windows 3.6.2 (for Solaris 8) T-patch T108653-41.tar.Z
Solaris 8 T-patch T112612-01.tar.Z
This document refers to one or more preliminary temporary patches
(T-patches) which are designed to address the concerns identified
herein. Sun has limited experience with these patches due to their
preliminary nature. Sun may release full patches at a later date,
however, Sun is under no obligation whatsoever to create, release, or
distribute any such patches.
5. Resolution
A final solution is pending completion.
This Sun Alert notification is being provided to you on an "AS IS"
basis. Sun makes no representations, warranties, or guaranties as to the
quality, suitability, truth, accuracy or completeness of any of the
information contained herein. This Sun Alert notification may contain
information provided by third parties. ANY AND ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY
DISCLAIMED. The issues described in this Sun Alert notification may or
may not impact your system(s).
BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL
DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION
CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your Confidential Disclosure Agreement or the confidentiality provisions
of your agreement to purchase services from Sun. In the event that you
do not have one of the above-referenced agreements with Sun, this
information is provided pursuant to the confidentiality provisions of
the Sun.com Terms of Use. This Sun Alert notification may only be used
for the purposes contemplated by these agreements.
Copyright 2001, 2002 Sun Microsystems, Inc., 901 San Antonio Road, Palo
Alto, CA 94303 U.S.A. All rights reserved.
|
|
Go to the Top of This SecurityTracker Archive Page
|
