Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 1075 - zlib: possibly exploitable buffer overflow
Summary: zlib: possibly exploitable buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: x86 Linux
: High blocker (vote)
Assignee: Ferry Meyndert (RETIRED)
URL: http://www.linuxsecurity.com/advisori...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-03-11 15:31 UTC by Bruce A. Locke (RETIRED)
Modified: 2003-02-04 19:42 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bruce A. Locke (RETIRED) gentoo-dev 2002-03-11 15:31:02 UTC
zlib 1.1.4 was checked into portage which fixes this issue for applications that
dynamically link against zlib (a package.mask entry should be used to block all
older versions in a day or two)

The following applications are mentioned in the redhat advisory because they
either statically link against zlib or include their own version.  They should
either be made to use the linked library version (if possible) or check to see
if the upstream has released an updated version:

- kernel (status unknown) 
- cvs
- rsync
- dump, rmt
- vnc
- binutils
- gcc v3
- libstdc++ v3

Possibly affected:

- mozilla (seems to have its own libzlib.la in /usr/lib/mozilla)
- freeamp
- amaya
- qt-embedded (do we even have this?)

Commerical applications that are most likely affected but we can do nothing about:

- netscape 4.x
- acroread
Comment 1 Scott Moynes 2002-03-11 20:19:06 UTC
I compiled a list of binaries on my machine that may have zlib statically
linked. My list is much the same here, but I figured the script might be a
little bit helpful to gentoo developers.
find / -type f -perm 755 | xargs egrep "inflate.*Copyright"
Several other patterns could probably be used as well. strings /usr/lib/libz.a
should help in finding other culprits.
Hope that helps.
Comment 2 Ferry Meyndert (RETIRED) gentoo-dev 2002-03-12 05:26:17 UTC
Also the hole the binary cd has to be redone. Becuase lotsa binarys on the cd
will be affected too
Comment 3 Ferry Meyndert (RETIRED) gentoo-dev 2002-03-12 05:50:29 UTC
ok new mozilla is out 0.9.9
* Mozilla's zlib library contins the fix for the zlib vulnerability. Note that
some builds such as the Red Hat RPMs use the sytem zlib library and you will
need to update this library separately. See the Red Hat Linux Errata Advisory.

Working on ebuild

Comment 4 Tod M. Neidt (RETIRED) gentoo-dev 2002-03-14 02:23:51 UTC

*** This bug has been marked as a duplicate of 892 ***
Comment 5 Bruce A. Locke (RETIRED) gentoo-dev 2002-03-14 02:31:34 UTC
This has nothing to do with aspell... assuming bug closing was a mistake
Comment 6 Ferry Meyndert (RETIRED) gentoo-dev 2002-03-14 04:19:35 UTC
The following packages contain their own zlib code and were either
 updated to fix the double free in zlib or were patched to use the
 system zlib instead:


   rrdtool:   comes with it's own zlib source; patched to fix.
   gcc3.0:    patched to use system zlib.
   gcc-2.96:  patched to use system zlib.
   mirrordir: comes with it's own zlib source; patched to fix.
   vnc:       patched to use system zlib.
   ppp:       comes with it's own zlib source; patched to fix.
   chromium:  patched to use system zlib.
   HDF:       comes with it's own zlib source; patched to fix.
   XFree86:   patched to use system zlib.
   kernel:    comes with it's own zlib source; updates for both the 2.2
              and 2.4 kernels are forthcoming due to some other problems
              that are currently being worked on.
   rsync:     comes with it's own zlib source; updates will be available
              shortly as we are currently testing 2.5.3.
   netscape:  new binary packages should be available from Netscape
              soon, and due to it's closed source nature no fix is
              available yet.
Comment 7 Seemant Kulleen 2002-03-14 04:21:35 UTC
rsync-2.5.4 has fixes for it.  It can be found at: 
http://rsync.samba.org/ftp/rsync/rsync-2.5.4.tar.gz.  According to their changelog:

rsync 2.5.4 (13 March 2002)

  "Imitation lizard skin"

  BUG FIXES:

    * Additional fix for zlib double-free bug.  (Martin Pool, Andrew
      Tridgell) (CVE CAN-2002-0059)
 
  ENHANCEMENTS:

    * Merge in changes from zlib 1.1.3 to zlib 1.1.4.  (Jos Backus)
      (Note that rsync still uses a custom version of zlib; you can
      not just link against a system library.  See zlib/README.rsync)
Comment 8 Ferry Meyndert (RETIRED) gentoo-dev 2002-03-14 04:24:06 UTC
net-analyzer/rrdtool
should be updated too 1.0.34

hangeLog for RRDtool 1.0.x
---------------------------
- bugfix, + enhancement, * contrib, = RELEASE
---------------------------------------------
= 1.0.34 2001/03/12 -- Tobi

- 2002/02/12 -- Tobi
  * replaced zlib 1.1.3 with 1.1.4

Comment 9 Ferry Meyndert (RETIRED) gentoo-dev 2002-03-14 04:54:49 UTC
this is the patch too let vnc use the systems zlib.

net-misc/vnc/vnc-3.3.3-r2.ebuild

patch: 

--- vnc_unixsrc/vncviewer/Imakefile.fred        Tue Feb 12 16:51:38 2002       
+++ vnc_unixsrc/vncviewer/Imakefile     Tue Feb 12 16:55:48 2002               
@@ -15,8 +15,8 @@                                                              
                                                                               
 INCLUDES = -I../include -I. -I/usr/include                                    
 VNCAUTH_LIB = ../libvncauth/libvncauth.a                                      
-ZLIB_LIB = /usr/lib/libz.a                                                    
-JPEG_LIB = /usr/lib/libjpeg.a                                                 
+ZLIB_LIB = -lz                                                                
+JPEG_LIB = -ljpeg                                                             
                                                                               
 DEPLIBS = XawClientDepLibs $(VNCAUTH_LIB) $(ZLIB_LIB) $(JPEG_LIB)             
 LOCAL_LIBRARIES = XawClientLibs $(VNCAUTH_LIB) $(ZLIB_LIB) $(JPEG_LIB)
Comment 10 Ferry Meyndert (RETIRED) gentoo-dev 2002-03-14 05:05:50 UTC
Fix for ppp

net-dialup/ppp/ppp-2.4.1-r6.ebuild

ppp:       comes with it's own zlib source; patched to fix.

patch:
http://www.clan-tva.com/m0rpheus/ppp-2.4.1-zfree.patch
Comment 11 Seemant Kulleen 2002-03-14 05:59:51 UTC
From the redhat SRPM for gcc-3.0.4-20020221, we have this patch:

--- fastjar/configure.in.jj     Fri Dec 15 19:45:09 2000
+++ fastjar/configure.in        Thu Feb 21 23:26:05 2002
@@ -38,9 +38,12 @@ dnl Check byte order
 AC_C_BIGENDIAN
 
 dnl Brain dead check for tree's zlib
-ZDEPS='$(top_builddir)/../zlib/libz.a'
-ZLIBS="$ZDEPS -L\$(here)/../zlib/$libsubdir"
-ZINCS='-I$(top_srcdir)/../zlib'
+#ZDEPS='$(top_builddir)/../zlib/libz.a'
+#ZLIBS="$ZDEPS -L\$(here)/../zlib/$libsubdir"
+#ZINCS='-I$(top_srcdir)/../zlib'
+ZDEPS=
+ZLIBS=-lz
+ZINCS=
 AC_SUBST(ZLIBS)
 AC_SUBST(ZDEPS)
 AC_SUBST(ZINCS)
--- fastjar/configure.jj        Sun Jan  7 12:33:20 2001
+++ fastjar/configure   Thu Feb 21 23:26:45 2002
@@ -1963,9 +1963,12 @@ EOF
 fi
 
 
-ZDEPS='$(top_builddir)/../zlib/libz.a'
-ZLIBS="$ZDEPS -L\$(here)/../zlib/$libsubdir"
-ZINCS='-I$(top_srcdir)/../zlib'
+#ZDEPS='$(top_builddir)/../zlib/libz.a'
+#ZLIBS="$ZDEPS -L\$(here)/../zlib/$libsubdir"
+#ZINCS='-I$(top_srcdir)/../zlib'
+ZDEPS=
+ZLIBS=-lz
+ZINCS=
Comment 12 Seemant Kulleen 2002-03-14 06:00:47 UTC
So far the only kernel fix I can find is for 2.2.19, but that is not relevant to
Gentoo, is it?
Comment 13 Seemant Kulleen 2002-03-14 06:34:12 UTC
OK, XFree86's patch can be found:
ftp://ftp.xfree86.org/pub/XFree86/4.2.0/fixes/4.2.0-zlib-security.patch


From the ERRATA document at xfree86.org.
3. Potential vulnerability in zlib.

    A recently released CERT vulnerability notice (VU#368819)
    describes a potential vulnerability in some versions of zlib.
    XFree86 4.2.0 includes zlib 1.0.8, and uses it on some platforms.

    A source patch to correct this is available in the fixes
    subdirectory (4.2.0-zlib-security.patch).  It is also included
    in the xf-4_2-branch branch of the XFree86 CVS repository.

According to the CERT report, though:


XFree86 versions 4.0 through 4.2.0 include zlib version 1.0.8. XFree86 3.x
includes zlib version 1.0.4. The zlib code included with XFree86 is only used on
some platforms. This is determined by the setting of HasZlib in the imake config
files in the xc/config/cf source directory. If HasZlib is set to YES in the
platform's vendor.cf file(s), then the system-provided zlib is used instead of
the XFree86-provided versi

 Perhaps that should be a consideration for future X builds, if it is not already?





Comment 14 Bruce A. Locke (RETIRED) gentoo-dev 2002-03-15 22:26:27 UTC
The vnc patch appears to be pure BS :(  The fields it trys to change to not
exist either before or after xmkmf and imake are run.

And the copy of zlib is under Xvnc, not vncviewer.
Comment 15 Bruce A. Locke (RETIRED) gentoo-dev 2002-03-15 22:43:57 UTC
rsync 2.5.4 was added to portage and masked out.

Someone please test with chiba and unmask...

I am rather alarmed that rsync and cvs were not fixed already... I've helped
with a few of the zlib fixes but the fact much of them still exist alarms me and
looks bad.

I will be going on spring break for a week and when I get back I'm going to file
individual bug reports for every package still affected and start getting very
vocal about it ;)
Comment 16 Bruce A. Locke (RETIRED) gentoo-dev 2002-03-16 04:18:52 UTC
cvs 1.11.1p1 is in cvs and masked out.  It uses redhat's patch to dynamically
link against the system libz.

I noticed the new upstream package stores the contrib scripts in /usr/share/cvs
instead of /usr/lib/cvs... is this a problem?

I'll be gone/very sparatic for a week so I don't feel safe committing this stuff
in unmasked and not being around to see the fallout :)  If it works for you,
unmask it :)
Comment 17 Daniel Robbins (RETIRED) gentoo-dev 2002-03-16 09:14:21 UTC
if you could, please do so *before* spring break :)
Comment 18 Seemant Kulleen (RETIRED) gentoo-dev 2002-03-17 05:19:30 UTC
This is just a hack from the script that is posted in bug #1184 from Sorcerer. 
I did coz I was amnesiac and wanted to test it.  I get a nice list of packages.
 I think it would be easy enough to actually emerge each one on that list too. 
Dunno if this should be a post install thingy tacked onto zlib, like SGL did, or
not.  Anyway, just thought you might be interested in this, just cause it might
save some time.  Dunno, though.

Seemant

---

#!/bin/sh
#
# this script finds the static libraries and executables in
# $TRACKED subdirectories, in order to list and re-compile
# the spells created those.
#
# This way, we will get rid of buggy static compiles.
#
# 20020313, kongar
############################
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# $Id: find_zlib_static,v 1.5 2002/03/13 10:00:26 kongar Exp $
############################


##### end sanity checks

TMPFILE=/tmp/zlibfind.`uuidgen`
FOUND=/tmp/zlibfound.`uuidgen`
LIB_LIST=`find /usr/lib   \
        ! -regex '.*/doc/.*'  ! -regex '.*/man/.*'   ! -regex '.*/include/.*'  \
        ! -regex '.*/src/.*'  ! -regex '.*/share/.*' ! -regex '.*/fonts/.*'    \
        ! -regex '.*/info/.*' ! -regex '.*/perl5/.*' ! -regex '.*/site-packages/
.*' \
        ! -regex '.*\.so.*'   \
        -exec file {} \;     \
             |  egrep "current ar archive|statically linked" \
             |  cut -d ":" -f 1-1`
     
AFFECTED=`nm --print-file-name $LIB_LIST | egrep "deflate|inflate" | cut -d ":" 
-f 1-1 `

for TARGET in $AFFECTED; do echo $TARGET >> $TMPFILE; done
#cat $TMPFILE | sort | grep -v libz | uniq
SORTED=`cat $TMPFILE | sort | grep -v libz | uniq`
for SPELL in $SORTED; 
do 
        qpkg -f ${SPELL} >> $FOUND
done

cat $FOUND | sort | uniq
Comment 19 Ferry Meyndert (RETIRED) gentoo-dev 2002-03-25 17:14:16 UTC
i thinked we tacled them all