Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
(FreeBSD Issues Revised Fix) 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code
|
Date: Apr 18 2002
|
Impact: Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.1.3
|
Description: A vulnerability was reported in the zlib shared library, a widely used library that provides in-memory compress and decompression
functions. A remote user could cause programs using this library to crash or to execute arbitrary code on the system.
It is reported that certain types of input will cause zlib to free the same area of memory twice (i.e., perform a "double free"),
resulting in a buffer overflow condition when expanding compressed input. A remote user can cause programs that process untrusted
user-supplied compressed input to crash or potentially execute arbitrary code on the system.
It is reported that web browsers
or email programs that display image attachments or other programs that uncompress data may be particularly affected.
It is reported
that Matthias Clasen <maclas@gmx.de> and Owen Taylor <otaylor@redhat.com> discovered this bug.
|
Impact: A remote user can cause affected programs that use zlib to process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.
|
Solution: The vendor has released a fix that, in comparison with the previous (flawed) patch, corrects the ZFREE location in the kernel patch
and corrects the deflate window size check.
As a workaround, FreeBSD provides the following directions:
To prevent affected
programs from aborting, remove the 'A' from the malloc flags. To check which malloc flags are in use, issue the following commands:
#
ls -l /etc/malloc.conf
# echo $MALLOC_OPTIONS
A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable means
that no malloc flags are in use. See the malloc(3) man page for more information.
As a solution, FreeBSD issues the following
directions:
[FreeBSD 4.x base system]
1) Upgrade your vulnerable system to 4.5-STABLE or to one of the RELENG_4_4 or RELENG_4_5
security branches dated after the respective correction dates. The correction dates are:
2002-02-24 23:12:48 UTC (RELENG_4)
2002-02-24
23:22:57 UTC (RELENG_4_5)
2002-02-24 23:23:58 UTC (RELENG_4_4)
2002-02-24 23:24:46 UTC (RELENG_4_3)
2) To patch your present
system: download the relevant patch from the below location, and execute the following commands as root:
For FreeBSD 4.x systems
that have the previous zlib patch applied:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch
#
fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch.asc
For FreeBSD 4.x systems that do not
have the previous zlib patch applied:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch.asc
Verify the detached PGP signature using your PGP
utility.
This patch has been verified to apply to all FreeBSD 4.x versions.
# cd /usr/src
# patch -p < /path/to/patch
#
cd lib/libz
# make depend && make all install
Then rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html
and reboot the system with the new kernel for the changes to take effect.
Note that various ports may statically link zlib or
contain their own versions of zlib that have not been corrected by updating the FreeBSD libz. Efforts are underway to identify
and correct these ports.
|
Vendor URL: www.gzip.org/zlib/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (FreeBSD)
|
Underlying OS Comments: 4, 4.3, 4.4, 4.5
|
Reported By: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 18 Apr 2002 11:25:22 -0700 (PDT)
From: FreeBSD Security Advisories <security-advisories@FreeBSD.ORG>
Subject: FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED]
|
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:18 Security Advisory
FreeBSD, Inc.
Topic: zlib double-free
Category: core, ports
Module: zlib
Announced: 2002-03-18
Credits: Matthias Clasen <maclas@gmx.de>
Owen Taylor <otaylor@redhat.com>
Affects: All released versions of FreeBSD
FreeBSD 4.5-STABLE prior to the correction date
Various ports using or including zlib
Corrected: 2002-02-24 23:12:48 UTC (RELENG_4)
2002-02-24 23:22:57 UTC (RELENG_4_5)
2002-02-24 23:23:58 UTC (RELENG_4_4)
2002-02-24 23:24:46 UTC (RELENG_4_3)
CVE: CAN-2002-0059
FreeBSD only: NO
0. Revision History
v1.0 2002-04-20 Initial release
v1.1 2002-04-25 Corrected ZFREE location in kernel patch
Corrected deflate window size check
I. Background
zlib is a compression library used by numerous applications to provide
data compression/decompression routines.
II. Problem Description
A programming error in zlib may cause segments of dynamically
allocated memory to be released more than once (double-freed).
If an attacker is able to pass a specially-crafted block of invalid
compressed data to a program that includes zlib, the program's
attempt to decompress the crafted data may cause the zlib routines
to attempt to free memory multiple times.
Unlike some implementations of malloc(3)/free(3), the malloc(3) and
free(3) routines used in FreeBSD (aka phkmalloc, written by
Poul-Henning Kamp <phk@FreeBSD.org>), are not vulnerable to this type
of bug. From the author:
Most mallocs keep their housekeeping data right next to the
allocated range. This gives rise to all sorts of unpleassant
situations if programs stray outside the dotted line, free(3)
things twice or free(3) modified pointers.
phkmalloc(3) does not store housekeeping next to allocated data,
and in particular it has code that detects and complains about
exactly this kind of double free.
When attempting to double-free an area of memory, phkmalloc will
issue a warning:
progname in free(): error: chunk is already free
and may call abort(3) if the malloc flag 'A' is used.
III. Impact
If an attacker is able to pass a specially-crafted block of invalid
compressed data to an application that utilizes zlib, the attempt to
decompress the data may cause incorrect operation of the application,
including possibly crashing the application. Also, the malloc
implementation will issue warnings and, if the `A' malloc option is
used, cause the application to abort(3). In short, an attacker may
cause a denial of service in applications utilizing zlib.
IV. Workaround
To prevent affected programs from aborting, remove the 'A' from
the malloc flags. To check which malloc flags are in use, issue the
following commands:
# ls -l /etc/malloc.conf
# echo $MALLOC_OPTIONS
A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable
means that no malloc flags are in use. See the malloc(3) man page for
more information.
V. Solution
[FreeBSD 4.x base system]
1) Upgrade your vulnerable system to 4.5-STABLE or to one of the
RELENG_4_4 or RELENG_4_5 security branches dated after the respective
correction dates.
2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:
For FreeBSD 4.x systems that have the previous zlib patch applied:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch.asc
For FreeBSD 4.x systems that do not have the previous zlib patch
applied:
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch.asc
Verify the detached PGP signature using your PGP utility.
This patch has been verified to apply to all FreeBSD 4.x versions.
# cd /usr/src
# patch -p < /path/to/patch
# cd lib/libz
# make depend && make all install
Then rebuild and reinstall your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system with the new kernel for the changes to take effect.
[ports]
Various ports may statically link zlib or contain their own versions
of zlib that have not been corrected by updating the FreeBSD libz.
Efforts are underway to identify and correct these ports.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Path Revision
Branch
- -------------------------------------------------------------------------
src/lib/libz/deflate.c
RELENG_4 1.5.2.1
RELENG_4_5 1.5.8.1
RELENG_4_4 1.5.6.1
RELENG_4_3 1.5.4.1
src/lib/libz/infblock.c
RELENG_4 1.1.1.4.6.1
RELENG_4_5 1.1.1.4.12.1
RELENG_4_4 1.1.1.4.10.1
RELENG_4_3 1.1.1.4.8.1
src/sys/net/zlib.c
RELENG_4 1.10.2.3
RELENG_4_5 1.10.8.2
RELENG_4_4 1.10.6.2
RELENG_4_3 1.10.4.2
- -------------------------------------------------------------------------
VII. References
<URL:http://online.securityfocus.com/archive/1/261205>
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0059 to this issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPL7ZU1UuHi5z0oilAQFBSAQAjR7ddnCz9WUySoE3wxUtrrEyp5ZGw0cW
8PNIdu78zLdBYwAMr02ZPht+3tb1E3ycshO+MLhtW05SrDWPd5KIy6nk03AOjgB9
aKPs+B2NKN84W3udAtHaGYWL24ef8PJFJnna05oAiuXHrkCyHbMIB11RJ86ZJx3u
4DHKy14D8lE=
=EeE6
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
|
|
Go to the Top of This SecurityTracker Archive Page
|
