SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Zlib Vendors:   [Multiple Authors/Vendors]
(Sun Issues Fix) Re: 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code
SecurityTracker Alert ID:  1004110
SecurityTracker URL:  http://securitytracker.com/id/1004110
CVE Reference:   CVE-2002-0059   (Links to External Site)
Updated:  Apr 25 2002
Original Entry Date:  Apr 19 2002
Impact:   Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in the zlib shared library, a widely used library that provides in-memory compress and decompression functions. A remote user could cause programs using this library to crash or to execute arbitrary code on the system.

It is reported that certain types of input will cause zlib to free the same area of memory twice (i.e., perform a "double free"), resulting in a buffer overflow condition when expanding compressed input. A remote user can cause programs that process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.

It is reported that web browsers or email programs that display image attachments or other programs that uncompress data may be particularly affected.

It is reported that Matthias Clasen <maclas@gmx.de> and Owen Taylor <otaylor@redhat.com> discovered this bug.

Impact:   A remote user can cause affected programs that use zlib to process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.
Solution:   The vendor has issued fixes for Solaris and OpenWindows.

SPARC

Open Windows 3.6.1 (for Solaris 7) with patch 108376-37 or later
Open Windows 3.6.2 (for Solaris 8) with patch 108652-51 or later
Solaris 8 with patch 112611-01 or later

Intel

Open Windows 3.6.1 (for Solaris 7) with patch 108377-33 or later
Open Windows 3.6.2 (for Solaris 8) with patch 108653-41 or later
Solaris 8 with patch 112612-01 or later

Vendor URL:  www.gzip.org/zlib/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  7, 8

Message History:   This archive entry is a follow-up to the message listed below.
Mar 11 2002 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code



 Source Message Contents

Subject:  Sun Alert 43541 (modified)


DOCUMENT ID: 43541 
SYNOPSIS: Security issue with zlib (libz(3)) in Solaris and OpenWindows 
DETAIL DESCRIPTION: 

Sun(sm) Alert Notification 

     Sun Alert ID: 43541 

     Synopsis: Security issue with zlib (libz(3)) in Solaris and
OpenWindows 

     Category: Security 

     Product: Solaris, OpenWindows 
     BugIDs: 4644966, 4644859 
     Avoidance: Workaround, T-Patch 

     State: Committed 
     Date Released: 28-Mar-2002 
     Date Closed: 
     Date Modified: 15-Apr-2002 

1. Impact 

Depending upon how and where the zlib routines are called from an
application which links with zlib, the resulting vulnerability may
result in a denial of service, information leakage, or execution of
arbitrary code. 

A large number of free applications and libraries have been identified
as using zlib at http://www.gzip.org/zlib/apps.html.  Some of this
freeware is shipped on the Solaris 8 Software Companion CD. 

This issue is described in the CERT Vulnerability VU#368819 (see
http://www.kb.cert.org/vuls/id/368819) which is referenced in CA-2002-07
(see http://www.cert.org/advisories/CA-2002-07.html). 

2. Contributing Factors 

This issue can occur in the following releases: 

SPARC 

     Open Windows 3.6.1 (for Solaris 7) with the following patches and
without 108376-37 

                107648-02 through 107648-09
                or
                107078-19
                or
                108376-01 through
108376-36                                    

     Open Windows 3.6.2 (for Solaris 8) and without patch 108652-51 
     Solaris 8 

Intel 

     Open Windows 3.6.1 (for Solaris 7) with the following patches: 

                107649-02 through 107649-09
                or
                107079-18
                or
                108377-01 through
108377-32                                    

     Open Windows 3.6.2 (for Solaris 8) without patch 108653-41 
     Solaris 8 without patch 112612-01 

Notes: The vulnerable OpenWindows library (libz) was introduced into
OpenWindows 3.6.1 in the feature patches listed above. Prior to
installing the feature patch, OpenWindows 3.6.1 was not vulnerable. 

Solaris 7 and earlier are not vulnerable to this issue as the Solaris
libz library was not shipped in Solaris 7 and earlier. 

3. Symptoms 

An application which links with zlib may be able to be killed when
handling untrusted zipped input. There are no reliable symptoms to show
arbitrary code has been inserted into a running program linked with zlib
and executed. 


SOLUTION SUMMARY: 

4. Relief/Workaround 

Preliminary T-patches are available for the following releases from: 

     http://sunsolve.sun.com/tpatches 

SPARC 

     Solaris 8 T-patch T112611-01.tar.Z 

Intel 

     Open Windows 3.6.1 (for Solaris 7) T-patch T108377-33.tar.Z 

This document refers to one or more preliminary temporary patches
(T-patches) which are designed to address the concerns identified
herein. Sun has limited experience with these patches due to their
preliminary nature. Sun may release full patches at a later date,
however, Sun is under no obligation whatsoever to create, release, or
distribute any such patches. 

5. Resolution 

This issue is addressed in the following releases: 

SPARC 

     Open Windows 3.6.1 (for Solaris 7) with patch 108376-37 or later 
     Open Windows 3.6.2 (for Solaris 8) with patch 108652-51 or later 

Intel 

     Open Windows 3.6.2 (for Solaris 8) with patch 108653-41 or later 
     Solaris 8 with patch 112612-01 or later 

A final solution is pending completion. 

Change History 

15-Apr-2002: 

     Updated Contributing Factors, Relief/Workaround and Resolution
sections 

This Sun Alert notification is being provided to you on an "AS IS"
basis. Sun makes no representations, warranties, or guaranties as to the
quality, suitability, truth, accuracy or completeness of any of the
information contained herein. This Sun Alert notification may contain
information provided by third parties. ANY AND ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT,
ARE HEREBY DISCLAIMED. The issues described in this Sun Alert
notification may or may not impact your system(s). 

BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL
DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION
CONTAINED HEREIN. 

This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your Confidential Disclosure Agreement or the confidentiality provisions
of your agreement to purchase services from Sun. In the event that you
do not have one of the above-referenced agreements with Sun, this
information is provided pursuant to the confidentiality provisions of
the Sun.com Terms of Use. This Sun Alert notification may only be used
for the purposes contemplated by these agreements. 

Copyright 2001, 2002 Sun Microsystems, Inc., 901 San Antonio Road, Palo
Alto, CA 94303 U.S.A. All rights reserved.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC