Re: FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib

From: Jason DiCioccio (geniusj@bluenugget.net)
Date: 03/18/02


Date: Mon, 18 Mar 2002 08:16:11 -0800
From: Jason DiCioccio <geniusj@bluenugget.net>
To: security@freebsd.org


I'm a bit confused now. So FreeBSD, 4.5-RELEASE is vulnerable? I
am a bit unclear on this as I thought phkmalloc was not vulnerable
to the double-free bug. Or does this only affect binaries
statically linked with older revisions of libc and linux binaries?

That's what I would think anyway.

Cheers,
-JD-

--On Monday, March 18, 2002 7:00 AM -0800 FreeBSD Security Advisories
<security-advisories@freebsd.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> =========================================================================
> ==== FreeBSD-SA-02:18 Security
> Advisory
> FreeBSD, Inc.
>
> Topic: zlib double-free
>
> Category: core, ports
> Module: zlib
> Announced: 2002-03-18
> Credits: Matthias Clasen <maclas@gmx.de>
> Owen Taylor <otaylor@redhat.com>
> Affects: All released versions of FreeBSD
> FreeBSD 4.5-STABLE prior to the correction date
> Various ports using or including zlib
> Corrected: 2002-02-22 02:48:40 UTC (RELENG_4)
> 2002-02-23 00:14:28 UTC (RELENG_4_5)
> 2002-02-23 00:15:19 UTC (RELENG_4_4)
> 2002-02-23 00:15:50 UTC (RELENG_4_3)
> CVE: CAN-2002-0059
> FreeBSD only: NO
>
> I. Background
>
> zlib is a compression library used by numerous applications to provide
> data compression/decompression routines.
>
> II. Problem Description
>
> A programming error in zlib may cause segments of dynamically
> allocated memory to be released more than once (double-freed).
> If an attacker is able to pass a specially-crafted block of invalid
> compressed data to a program that includes zlib, the program's
> attempt to decompress the crafted data may cause the zlib routines
> to attempt to free memory multiple times.
>
> Unlike some implementations of malloc(3)/free(3), the malloc(3) and
> free(3) routines used in FreeBSD (aka phkmalloc, written by
> Poul-Henning Kamp <phk@FreeBSD.org>), are not vulnerable to this type
> of bug. From the author:
>
> Most mallocs keep their housekeeping data right next to the
> allocated range. This gives rise to all sorts of unpleassant
> situations if programs stray outside the dotted line, free(3)
> things twice or free(3) modified pointers.
>
> phkmalloc(3) does not store housekeeping next to allocated data,
> and in particular it has code that detects and complains about
> exactly this kind of double free.
>
> When attempting to double-free an area of memory, phkmalloc will
> issue a warning:
>
> progname in free(): error: chunk is already free
>
> and may call abort(3) if the malloc flag 'A' is used.
>
> III. Impact
>
> If an attacker is able to pass a specially-crafted block of invalid
> compressed data to an application that utilizes zlib, the attempt to
> decompress the data may cause incorrect operation of the application,
> including possibly crashing the application. Also, the malloc
> implementation will issue warnings and, if the `A' malloc option is
> used, cause the application to abort(3). In short, an attacker may
> cause a denial of service in applications utilizing zlib.
>
> IV. Workaround
>
> To prevent affected programs from aborting, remove the 'A' from
> the malloc flags. To check which malloc flags are in use, issue the
> following commands:
>
># ls -l /etc/malloc.conf
># echo $MALLOC_OPTIONS
>
> A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable
> means that no malloc flags are in use. See the malloc(3) man page for
> more information.
>
> V. Solution
>
> [FreeBSD 4.x base system]
>
> 1) Upgrade your vulnerable system to 4.5-STABLE or to one of the
> RELENG_4_4 or RELENG_4_5 security branches dated after the respective
> correction dates.
>
> 2) To patch your present system: download the relevant patch from the
> below location, and execute the following commands as root:
>
># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch
># fetch
># ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch.asc
>
> Verify the detached PGP signature using your PGP utility.
>
> This patch has been verified to apply to all FreeBSD 4.x versions.
>
># cd /usr/src
># patch -p < /path/to/patch
># cd lib/libz
># make depend && make all install
>
> Then rebuild and reinstall your kernel as described in
> http://www.freebsd.org/handbook/kernelconfig.html and reboot the
> system with the new kernel for the changes to take effect.
>
> [ports]
>
> Various ports may statically link zlib or contain their own versions
> of zlib that have not been corrected by updating the FreeBSD libz.
> Efforts are underway to identify and correct these ports.
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> Path Revision
> Branch
> -
> -------------------------------------------------------------------------
> src/lib/libz/infblock.c
> RELENG_4 1.1.1.4.6.1
> RELENG_4_5 1.1.1.4.12.1
> RELENG_4_4 1.1.1.4.10.1
> RELENG_4_3 1.1.1.4.8.1
> src/sys/net/zlib.c
> RELENG_4 1.10.2.1
> RELENG_4_5 1.10.8.1
> RELENG_4_4 1.10.6.1
> RELENG_4_3 1.10.4.1
> -
> -------------------------------------------------------------------------
>
> VII. References
>
> <URL:http://online.securityfocus.com/archive/1/261205>
>
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2002-0059 to this issue.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: FreeBSD: The Power To Serve
>
> iQCVAwUBPJXXsFUuHi5z0oilAQGjqwP/dozUEpfv3LqUE/uGcG9wzGwmhdAthjKH
> vLmKwoHjJE9v69W007cm4KWEYiF67GDkwYa+mBze+tG3lJknFUP7A3+U7ooGlatt
> 5wxngLIzl9i5bM9x2xeQmzue1xG3e+6j7xANG8O8a9aO08iDc/oSZN+4O3kkJhzf
> 7an7sq5rGQw=
> =P7az
> -----END PGP SIGNATURE-----
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security-notifications" in the body of the
> message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Relevant Pages

  • FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED]
    ... FreeBSD only: NO ... A programming error in zlib may cause segments of dynamically ... To patch your present system: download the relevant patch from the ... Correction details ...
    (FreeBSD-Security)
  • FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib
    ... FreeBSD only: NO ... zlib is a compression library used by numerous applications to provide ... A programming error in zlib may cause segments of dynamically ... To check which malloc flags are in use, ...
    (Bugtraq)
  • FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED]
    ... FreeBSD only: NO ... A programming error in zlib may cause segments of dynamically ... To patch your present system: download the relevant patch from the ... Correction details ...
    (Bugtraq)
  • FreeBSD Ports Security Advisory FreeBSD-SA-02:18.zlib
    ... FreeBSD only: NO ... zlib is a compression library used by numerous applications to provide ... A programming error in zlib may cause segments of dynamically ... To check which malloc flags are in use, ...
    (FreeBSD-Security)
  • Re: 4.11 p19 on a hosted web site
    ... FreeBSD 4.11 was a wonderfully stable and robust system. ... vulnerabilities in this software will not be fixed anymore. ... Running 6.2 would be running maintained software with as of yet unknown and unpublished bugs and vulnerabilities, of unknown severity. ... logo change for Memorial Day. ...
    (freebsd-questions)