LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
FreeBSD: UPDATE: 'zlib' Denial of Service vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
FreeBSD If an attacker is able to pass a specially-crafted block of invalidcompressed data to a program that includes zlib, the program'sattempt to decompress the crafted data may cause the zlib routinesto attempt to free memory multiple times.

=============================================================================
FreeBSD-SA-02:18                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          zlib double-free

Category:       core, ports
Module:         zlib
Announced:      2002-03-18
Credits:        Matthias Clasen <maclas@gmx.de>
                Owen Taylor <otaylor@Red Hat.com>
Affects:        All released versions of FreeBSD
                FreeBSD 4.5-STABLE prior to the correction date
                Various ports using or including zlib
Corrected:      2002-02-22 02:48:40 UTC (RELENG_4)
                2002-02-23 00:14:28 UTC (RELENG_4_5)
                2002-02-23 00:15:19 UTC (RELENG_4_4)
                2002-02-23 00:15:50 UTC (RELENG_4_3)
CVE:            CAN-2002-0059
FreeBSD only:   NO

I.   Background

zlib is a compression library used by numerous applications to provide
data compression/decompression routines.

II.  Problem Description

A programming error in zlib may cause segments of dynamically
allocated memory to be released more than once (double-freed).
If an attacker is able to pass a specially-crafted block of invalid
compressed data to a program that includes zlib, the program's
attempt to decompress the crafted data may cause the zlib routines
to attempt to free memory multiple times.

Unlike some implementations of malloc(3)/free(3), the malloc(3) and
free(3) routines used in FreeBSD (aka phkmalloc, written by
Poul-Henning Kamp <phk@FreeBSD.org>), are not vulnerable to this type
of bug.  From the author:

  Most mallocs keep their housekeeping data right next to the
  allocated range.  This gives rise to all sorts of unpleassant
  situations if programs stray outside the dotted line, free(3)
  things twice or free(3) modified pointers.

  phkmalloc(3) does not store housekeeping next to allocated data,
  and in particular it has code that detects and complains about
  exactly this kind of double free.

When attempting to double-free an area of memory, phkmalloc will
issue a warning:

  progname in free(): error: chunk is already free

and may call abort(3) if the malloc flag 'A' is used.

III. Impact

If an attacker is able to pass a specially-crafted block of invalid
compressed data to an application that utilizes zlib, the attempt to
decompress the data may cause incorrect operation of the application,
including possibly crashing the application.  Also, the malloc
implementation will issue warnings and, if the `A' malloc option is
used, cause the application to abort(3).  In short, an attacker may
cause a denial of service in applications utilizing zlib.

IV.  Workaround

To prevent affected programs from aborting, remove the 'A' from
the malloc flags.  To check which malloc flags are in use, issue the
following commands:

# ls -l /etc/malloc.conf
# echo $MALLOC_OPTIONS

A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable
means that no malloc flags are in use.  See the malloc(3) man page for
more information.

V.   Solution

[FreeBSD 4.x base system]

1) Upgrade your vulnerable system to 4.5-STABLE or to one of the
RELENG_4_4 or RELENG_4_5 security branches dated after the respective
correction dates.

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch.asc

Verify the detached PGP signature using your PGP utility.

This patch has been verified to apply to all FreeBSD 4.x versions.

# cd /usr/src
# patch -p < /path/to/patch
# cd lib/libz
# make depend && make all install

Then rebuild and reinstall your kernel as described in 
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system with the new kernel for the changes to take effect.

[ports]

Various ports may statically link zlib or contain their own versions
of zlib that have not been corrected by updating the FreeBSD libz.
Efforts are underway to identify and correct these ports.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
-------------------------------------------------------------------------
src/lib/libz/infblock.c
  RELENG_4                                                    1.1.1.4.6.1
  RELENG_4_5                                                 1.1.1.4.12.1
  RELENG_4_4                                                 1.1.1.4.10.1
  RELENG_4_3                                                  1.1.1.4.8.1
src/sys/net/zlib.c
  RELENG_4                                                       1.10.2.1
  RELENG_4_5                                                     1.10.8.1
  RELENG_4_4                                                     1.10.6.1
  RELENG_4_3                                                     1.10.4.1
-------------------------------------------------------------------------

VII. References

http://online.securityfocus.com/archive/1/261205>

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0059 to this issue.



 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Canadians arrest a Heartbleed hacker
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.