[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] ALERT: zlib double free bug

Topic
=====
double free bug in zlib may allow local and remote exploits
*** THIS IS A HUGE PROBLEM ***

Problem Description
===================
The zlib library provides in-memory compression/decompression
functions. The library is widely used throughout Linux and other operating
systems.

A bug in the code of zlib where certain types of input will cause zlib to
free the same area of memory twice (called a "double free") can be used to
crash any program that takes untrusted compressed input. Web browsers or
email programs that display image attachments or other programs that
uncompress data are particularly affected. This vulnerability makes it easy
to perform various denial-of-service attacks against such programs. 

It is also possible that an attacker could manage a more significant
exploit, since the result of a double free is the corruption of the
malloc() implementation's data structures. This could include running
arbitrary code on local or remote systems.

Those packages on your Linux system that use the shared zlib library
can be fixed protected against the vulnerability by updating the zlib
package alone. However, there are a number of packages that either
statically link the zlib library or contain an internal version of the
zlib code. All of these packages must be updated as well.

Although no exploits for this issue or these packages are currently
known to exist, this is a serious vulnerability which could be
locally or remotely exploited. All users should upgrade affected packages
immediately.

Affected packages: This is from the RedHat advisory. Although different
distributions may compile their packages differently you may safely
assume that the extent of the vulnerabilities is similar. I will send
updates to this list as soon as news about other distributions become
available.

cvs: The cvs package has been rebuilt to link against the shared system
zlib instead of the internal version. Additionally, cvs has been updated
to correct a possible security vulnerability due to an improperly initialized
global variable.

dump: dump links statically to zlib and must be rebuild against the new
zlib package.

gcc3: The gcc3 package contains the GNU Compiler Collection version
3.0. It has been updated to version 3.0.4 and patched to link against
the system zlib instead of the internal version.

libgcj: The libgcj package includes the Java runtime library, which is
needed to run Java programs compiled using the gcc Java compiler
(gcj). libgcj has been patched to use the shared system zlib.

kernel: The Linux kernel internally contains several variants of zlib 
code. However, ppp compression is the only implementation that is used with
untrusted data streams. This issue has been patched.
(for RedHat 7.1 and 7.2: if you upgraded your kernel to the recent kernel
release 2.4.9-31 which already contains the fix).

Netscape Navigator: Users are advised to obtain an update from Netscape.

rsync: rsync is a program for synchronizing files over a network.
rsync uses a modified version of zlib internally, which must be patched.
RedHat's rsync update also fixes another security issue where rsync did
not call setgroups() before dropping the privileges of the connecting user.
Hence, it is possible for users to retain the group IDs of any supplemental
groups that rsync was started in (for example, supplementary groups of the
root user), allowing users to access files they may not otherwise be able
to access. 

VNC: VNC is a remote display system. It uses zlib internally.

zlib: the source of all the problems must be updated.

Affected Systems
================
Any software that is linked against zlib 1.1.3 or earlier
Any data compression library derived from zlib 1.1.3 or earlier

Solution
========
Upgrade to zlib-1.1.4
Furthermore, update all packages that are statically linked against zlib
or that use internal code based on zlib must be updated as well.

Redhat 6.x
----------
rpm -Fvh zlib-1.1.3-25.6.i386.rpm \
         zlib-devel-1.1.3-25.6.i386.rpm \
         cvs-1.11.1p1-6.2.i386.rpm \
         dump-0.4b19-5.6x.1.i386.rpm \
         dump-static-0.4b19-5.6x.1.i386.rpm \
         rmt-0.4b19-5.6x.1.i386.rpm \
         rsync-2.4.6-3.6.i386.rpm \
         kernel-source-2.2.19-6.2.15.i386.rpm \
         kernel-doc-2.2.19-6.2.15.i386.rpm \
         kernel-pcmcia-cs-2.2.19-6.2.15.i386.rpm \
         kernel-utils-2.2.19-6.2.15.i386.rpm \
         kernel-ibcs-2.2.19-6.2.15.i386.rpm 

Furthermore, the kernel must be updated:

rpm -ivh kernel-<ext>-2.2.19-6.2.15.<arch>.rpm

where <ext> is either empty (in which case you must leave out one of the
dashes) or smp or enterprise and <arch> is one of i386, or i586, or i686.

After that you must edit the /etc/lilo.conf file:
create a new first section

image=/boot/vmlinuz-2.2.19-6.2.15<ext>
        label=linux
        read-only
        root=/dev/hda1

or if you are using an initial ramdisk (i.e., your other sections in
/etc/lilo.conf have a "initrd=..." line then add that line as well, i.e.,

image=/boot/vmlinuz-2.2.19-6.2.15<ext>
        label=linux
        initrd=/boot/initrd-2.2.19-6.2.15<ext>.img
        read-only
        root=/dev/hda1

Change the label of your old kernel to something other than linux.
The run lilo and reboot:

# /sbin/lilo
# /sbin/reboot

Details of the kernel upgrade procedure can be found at:

http://www.redhat.com/support/resources/howto/kernel-upgrade/

RedHat 7.0
----------
rpm -Fvh zlib-1.1.3-25.7.i386.rpm \
         zlib-devel-1.1.3-25.7.i386.rpm \
         cvs-1.11.1p1-7.i386.rpm \
         dump-0.4b25-1.70.0.i386.rpm \
         rmt-0.4b25-1.70.0.i386.rpm \
         vnc-3.3.3r2-18.3.i386.rpm \
         vnc-doc-3.3.3r2-18.3.i386.rpm \
         vnc-server-3.3.3r2-18.3.i386.rpm \
         rsync-2.4.6-13.i386.rpm \
         libgcj-2.96-24.1.i386.rpm \
         libgcj-devel-2.96-24.1.i386.rpm \
         kernel-source-2.2.19-7.0.15.i386.rpm \
         kernel-doc-2.2.19-7.0.15.i386.rpm \
         kernel-pcmcia-cs-2.2.19-7.0.15.i386.rpm \
         kernel-utils-2.2.19-7.0.15.i386.rpm \
         kernel-ibcs-2.2.19-7.0.15.i386.rpm

Furthermore, the kernel must be updated:

rpm -ivh kernel-<ext>-2.2.19-6.2.15.<arch>.rpm

where <ext> is either empty (in which case you must leave out one of the
dashes) or smp or enterprise and <arch> is one of i386, or i586, or i686.
The rest of the kernel upgrade procedure is analog to the procedure described
under RedHat 6.x above.

RedHat 7.1
----------
rpm -Fvh zlib-1.1.3-25.7.i386.rpm \
         zlib-devel-1.1.3-25.7.i386.rpm \
         cvs-1.11.1p1-7.i386.rpm \
         dump-0.4b25-1.71.0.i386.rpm \
         rmt-0.4b25-1.71.0.i386.rpm \
         vnc-3.3.3r2-18.3.i386.rpm \
         vnc-doc-3.3.3r2-18.3.i386.rpm \
         vnc-server-3.3.3r2-18.3.i386.rpm \
         rsync-2.4.6-13.i386.rpm \
         libgcj-2.96-24.1.i386.rpm \
         libgcj-devel-2.96-24.1.i386.rpm

If you have not upgraded your kernel to version 2.4.9-31 you must upgrade
it as well:

rpm -Fvh kernel-source-2.4.9-31.i386.rpm \
         kernel-headers-2.4.9-31.i386.rpm \
         kernel-doc-2.4.9-31.i386.rpm

rpm -ivh kernel-<ext>-2.4.9-31.<arch>.rpm

where <ext> is either empty (in which case you must leave out one of the
dashes) or smp or enterprise and <arch> is one of i386, i586, i686, or athlon. 
The remainder of the kernel upgrade procedure is described under RedHat 6.x
above.

RedHat 7.2
----------
rpm -Fvh zlib-1.1.3-25.7.i386.rpm \
         zlib-devel-1.1.3-25.7.i386.rpm \
         cvs-1.11.1p1-7.i386.rpm \
         dump-0.4b25-1.72.0.i386.rpm \
         rmt-0.4b25-1.72.0.i386.rpm \
         vnc-3.3.3r2-18.3.i386.rpm \
         vnc-doc-3.3.3r2-18.3.i386.rpm \
         vnc-server-3.3.3r2-18.3.i386.rpm \
         rsync-2.4.6-13.i386.rpm \
         gcc3-3.0.4-1.i386.rpm \
         gcc3-c++-3.0.4-1.i386.rpm \
         gcc3-g77-3.0.4-1.i386.rpm \
         gcc3-java-3.0.4-1.i386.rpm \
         gcc3-objc-3.0.4-1.i386.rpm \
         libgcc-3.0.4-1.i386.rpm \
         libgcj3-3.0.4-1.i386.rpm \
         libgcj3-devel-3.0.4-1.i386.rpm \
         libstdc++3-3.0.4-1.i386.rpm \
         libstdc++3-devel-3.0.4-1.i386.rpm \
         libgcj-2.96-28.i386.rpm \
         libgcj-devel-2.96-28.i386.rpm \
         binutils-2.11.90.0.8-12.i386.rpm

If you have not upgraded your kernel to version 2.4.9-31 you must upgrade
it as well:

rpm -Fvh kernel-source-2.4.9-31.i386.rpm \
         kernel-headers-2.4.9-31.i386.rpm \
         kernel-doc-2.4.9-31.i386.rpm

rpm -ivh kernel-<ext>-2.4.9-31.<arch>.rpm

where <ext> is either empty (in which case you must leave out one of the
dashes) or smp or enterprise and <arch> is one of i386, i586, i686, or athlon.
Since RedHat 7.2 uses grub instead of lilo, you do not have to modify
/etc/lilo.conf (installing the kernel rpm will modify /etc/grub.conf).
Just reboot and select the new kernel in the grub menu.