(Openbsd Issues Patch) 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code
|
Date: Mar 20 2002
|
Impact: Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.1.3
|
Description: A vulnerability was reported in the zlib shared library, a widely used library that provides in-memory compress and decompression
functions. A remote user could cause programs using this library to crash or to execute arbitrary code on the system.
It is reported that certain types of input will cause zlib to free the same area of memory twice (i.e., perform a "double free"),
resulting in a buffer overflow condition when expanding compressed input. A remote user can cause programs that process untrusted
user-supplied compressed input to crash or potentially execute arbitrary code on the system.
It is reported that web browsers
or email programs that display image attachments or other programs that uncompress data may be particularly affected.
It is reported
that Matthias Clasen <maclas@gmx.de> and Owen Taylor <otaylor@redhat.com> discovered this bug.
|
Impact: A remote user can cause affected programs that use zlib to process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.
|
Solution: The vendor has released a patch, even though the vendor does not believe that OpenBSD is vulnerable (as the BSD malloc function detects
the 'double free' condition). Patches are available for those who wish to update to zlib 1.1.4.
There is also a kernel zlib
component that is used for kernel-based PPP and IPSec in some cases. It is not known at this time whether the zlib issue can be
used to subvert the kernel zlib.
Patch for OpenBSD 3.0:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/015_zlib.patch
Patch
for OpenBSD 2.9:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/022_zlib.patch
The 2.9 patch may also be used for
OpenBSD 2.8.
The 2.9-stable and 3.0-stable branches (cvs tags OPENBSD_2_9 and OPENBSD_3_0 respectively) also contain the updated
zlib.
|
Vendor URL: www.gzip.org/zlib/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (OpenBSD)
|
Reported By: "Todd C. Miller" <Todd.Miller@courtesan.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 18 Mar 2002 19:07:34 -0700
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Subject: zlib patch available
|
While we do not believe OpenBSD to be vulnerable to the recent
'double free' issue with zlib (the BSD malloc detects this condition)
patches are available for those who wish to update to zlib 1.1.4.
There is also a kernel zlib component that is used for kernel-based
PPP and IPSec in some cases. It is not known at this time whether
the zlib issue can be used to subvert the kernel zlib.
Patch for OpenBSD 3.0:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/015_zlib.patch
Patch for OpenBSD 2.9:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/022_zlib.patch
The 2.9 patch may also be used for OpenBSD 2.8.
The 2.9-stable and 3.0-stable branches (cvs tags OPENBSD_2_9 and
OPENBSD_3_0 respectively) also contain the updated zlib.
- todd
|
|
