Bug 100683 - app-backup/dar, sys-apps/module-init-tools, app-shells/sash contain static zlib
|
Bug#:
100683
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: normal
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: Storklerk@ariolc.dyndns.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://www.enyo.de/fw/security/zlib-fingerprint/
|
|
Summary: app-backup/dar, sys-apps/module-init-tools, app-shells/sash contain static zlib
|
|
Keywords:
|
|
Status Whiteboard: B2? [noglsa]
|
|
Opened: 2005-07-29 03:21 0000
|
See URL. There is a clamav database that allows to scan for zlib and displays
the version of the included zlib.
When scanning my up-to-date system I found several instances of zlib-1.2.2 even
if glsa-check -t all does not notify me of any vulnerabilities.
Reproducible: Always
Steps to Reproduce:
1.emerge =sys-libs/zlib-1.2.2
2.emerge app-backup/dar
3.emerge sys-apss/module-init-tools
4.emerge app-shells/sash
5.emerge -uD world
Actual Results:
/usr/bin/dar_static, /sbin/modprobe, /sbin/modinfo, /sbin/depmod and /bin/sash
still contain the vulnerable zlib-1.2.2 even after a complete system update.
Expected Results:
Remerge of all packages that include the system zlib in a static way.
I also found a static zlib in media-gfx/megapov, but I am not sure, if this is
a problem only on my system (Why should a normal application like megapov be
linked static?). I also did not audit any packages not installed on my system,
so there could be still more static copies of zlib out there.
(There are many static copies of zlib-1.1 (for example blackdown-jdk/jre), but
these are not affected by GLSA-200507-19)
Things that could be done to secure a gentoo system against this problem:
* Make all static users of zlib depend on >=sys-libs/zlib-1.2.3 and block on
<sys-libs/zlib-1.2.3
* rev-bump all packages of static users to build new versions on all gentoo
installations
(* remove zlib-1.2.2* from portage?)
I would make this bug critial like the original zlib bug, but normaly the
affected applications will probably not be used to process any untrusted data.
app-backup/dar, module-init-tools, sash do not include a local zlib but link to
it statically. You need to rebuild. Security team please vote if a GLSA is
needed. megapov has been checked and does not include a local zlib so this is
probably a linking issue, and povray links to a dynamic zlib.
For packages linking to affected static versions, I think we need :
- to have a new ebuild forcing the >=1.2.3 dep
- to post a GLSA
app-backup/dar-2.2.2 is forcing >=1.2.3, needs a few stable (sparc, ppc)
sys-apps/module-init-tools isn't forcing anything, needs a bump with a forced dep
app-shells/sash isn't forcing anything, needs a bump with a forced dep
Pulling in base-system for module-init-tools (we'll probably need a 3.0-r3 and a
3.2_pre7-r2)
We'll need someone to bump sash to 3.7-r1 (no metadata)
by 'need a GLSA' you mean update the current one to note packages which link
statically with zlib
also, i dont think module-init-tools links with zlib statically
module-init-tools links a static copy of zlib.
From the configure of this package:
# If zlib is required, libz must be linked static, modprobe is in
# /sbin, libz is in /usr/lib and may not be available when it is run.
# Check whether --enable-zlib or --disable-zlib was given.
if test "${enable_zlib+set}" = set; then
enableval="$enable_zlib"
if test "$enableval" = "yes"; then
cat >>confdefs.h <<\_ACEOF
#define CONFIG_USE_ZLIB 1
_ACEOF
zlib_flags="-Wl,-Bstatic -lz -Wl,-Bdynamic"
fi
fi;
On gentoo libz.so is in /lib, but this seem not to be the default location.
As for dar: It seems dar is missing from my world, because it was only a
dependency of kdar. But I masked >kdar-2.0.0 and now the updating of dar broke
also. So dar is no longer an issue.
you cant just read the configure script
consult the ebuild where we purposefully disable static zlib linking
true, consulting KEYWORDS shows that we didnt disable the static stuff in the
stable version
i'll have to check with a few people to make sure 3.1 is safe for stable
all in all, not a big deal for module-init-tools/sash since they shouldnt be
exploitable in such a way to escalate privs
More trouble:
There is the USE-flag 'static'.
The following packages use this flag and depend on zlib:
app-misc/zisofs-tools (DEPENDS on >=sys-libs/zlib-1.1.4)
net-misc/openssh (DEPENDS on >=sys-libs/zlib-1.1.4)
net-www/apache (DEPENDS on sys-libs/zlib)
I also looked more into media-gfx/megapov
This package is extended version of povray, which links dynamicly to libz.so.1
/usr/bin/povray dynamicly linked (also to libz.so) and is ~1.2
MB, /usr/bin/megapov is a static elf and ~3 MB. Clamscan says it contains a
zlib and everything looks like this is true.
(There is only megapov-1.0 in portage, on the website there are also versions
1.1 and 1.2. All linux versions on the website are called 'compiled with static
libraries')
I also noted that the new media-video/ffmpeg-0.4.9_p20050226-r5.ebuild uses
zlib and it builds static libpostproc.a . But this might be a false alarm,
because clamscan does not detect a zlib in this file.
This list of affected packages is probably still not complete. I only found the
first three packages by setting USE=static and emerge -puD --newuse world.
That I found the static elf of megapov also is only related to the fact that I
have this package installed. There might still be more things like this out
there, but I don't know how to scan for this. Nothing in the megapov ebuild
points to the fact that it will be build static.
Another thing are ebuilds like ffmpeg that build static parts. I discoverd the
combination of partly static linking and using zlib only by pure luck.
sash-3.7-r1 added with zlib-1.2.3 depend
Do we agree that of those, only dar may potentially be used on untrusted data ?
I don't think we should multiplicate GLSAs on unexploitable issues just because
they happen to contain affected zlib code...
Agreed -- module-init-tools needs root anyway (and I vote for no GLSA on it)...
dar seems to be a user utility though so that probably could do with a GLSA.
ppc, sparc: please test and mark app-backup/dar-2.2.2 stable
sparc stable.
maybe of interest to someone is that i had to use.mask dar32 & dar64 since they
caused a shiny bus error (the sparc equivalent of a segfault).
dunno if this affect any other arch since i didn't try.
module-init-tools still needs to be moved into stable
sash includes a -gunzip command, which could be used on untrusted data...
I would vote weak NO on glsa.
I'd vote YES on dar and sash.
ok, if arches are ready, i'd suggest we move module-init-tools-3.1 to stable
security, make up your mind on GLSA need.
Recounting, that means GLSA for dar, no GLSA for the others. People that
disagree should explain/comment here before the GLSA goes out.
Mhh, hard one. I'd tend to say yes to dar or sash, but i also wouldn't mind if
we don't issue a GLSA for this at all.
-> GLSA on dar, no GLSA on thers.
I'm changing my vote on dar.
I don't feel confident sending this without more analysis. It's easy to issue
"DoS and maybe even code execution" for the servers or the library, but for
specific client utilities like dar you are left with the very slight possibility
of code execution in the specific heap structure of the tool, because there is
no "DoS" in this case.
So I feel we shouldn't issue a GLSA for code execution in dar without more
analysis to back up our claims. If you agree with me, close this one as FIXED...
I still agree -> Closing.
