Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2002.142 -- FreeBSD-SA-02:18.zlib zlib double-free 19 March 2002 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: zlib Vendor: FreeBSD Operating System: FreeBSD Impact: Denial of Service Access Required: Remote Ref: ESB-2002.129 ESB-2002.127 ESB-2002.125 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:18 Security Advisory FreeBSD, Inc. Topic: zlib double-free Category: core, ports Module: zlib Announced: 2002-03-18 Credits: Matthias Clasen <maclas@gmx.de> Owen Taylor <otaylor@redhat.com> Affects: All released versions of FreeBSD FreeBSD 4.5-STABLE prior to the correction date Various ports using or including zlib Corrected: 2002-02-22 02:48:40 UTC (RELENG_4) 2002-02-23 00:14:28 UTC (RELENG_4_5) 2002-02-23 00:15:19 UTC (RELENG_4_4) 2002-02-23 00:15:50 UTC (RELENG_4_3) CVE: CAN-2002-0059 FreeBSD only: NO I. Background zlib is a compression library used by numerous applications to provide data compression/decompression routines. II. Problem Description A programming error in zlib may cause segments of dynamically allocated memory to be released more than once (double-freed). If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data may cause the zlib routines to attempt to free memory multiple times. Unlike some implementations of malloc(3)/free(3), the malloc(3) and free(3) routines used in FreeBSD (aka phkmalloc, written by Poul-Henning Kamp <phk@FreeBSD.org>), are not vulnerable to this type of bug. From the author: Most mallocs keep their housekeeping data right next to the allocated range. This gives rise to all sorts of unpleassant situations if programs stray outside the dotted line, free(3) things twice or free(3) modified pointers. phkmalloc(3) does not store housekeeping next to allocated data, and in particular it has code that detects and complains about exactly this kind of double free. When attempting to double-free an area of memory, phkmalloc will issue a warning: progname in free(): error: chunk is already free and may call abort(3) if the malloc flag 'A' is used. III. Impact If an attacker is able to pass a specially-crafted block of invalid compressed data to an application that utilizes zlib, the attempt to decompress the data may cause incorrect operation of the application, including possibly crashing the application. Also, the malloc implementation will issue warnings and, if the `A' malloc option is used, cause the application to abort(3). In short, an attacker may cause a denial of service in applications utilizing zlib. IV. Workaround To prevent affected programs from aborting, remove the 'A' from the malloc flags. To check which malloc flags are in use, issue the following commands: # ls -l /etc/malloc.conf # echo $MALLOC_OPTIONS A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable means that no malloc flags are in use. See the malloc(3) man page for more information. V. Solution [FreeBSD 4.x base system] 1) Upgrade your vulnerable system to 4.5-STABLE or to one of the RELENG_4_4 or RELENG_4_5 security branches dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply to all FreeBSD 4.x versions. # cd /usr/src # patch -p < /path/to/patch # cd lib/libz # make depend && make all install Then rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system with the new kernel for the changes to take effect. [ports] Various ports may statically link zlib or contain their own versions of zlib that have not been corrected by updating the FreeBSD libz. Efforts are underway to identify and correct these ports. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - - ------------------------------------------------------------------------- src/lib/libz/infblock.c RELENG_4 1.1.1.4.6.1 RELENG_4_5 1.1.1.4.12.1 RELENG_4_4 1.1.1.4.10.1 RELENG_4_3 1.1.1.4.8.1 src/sys/net/zlib.c RELENG_4 1.10.2.1 RELENG_4_5 1.10.8.1 RELENG_4_4 1.10.6.1 RELENG_4_3 1.10.4.1 - - ------------------------------------------------------------------------- VII. References <URL:http://online.securityfocus.com/archive/1/261205> The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0059 to this issue. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBPJXXsFUuHi5z0oilAQGjqwP/dozUEpfv3LqUE/uGcG9wzGwmhdAthjKH vLmKwoHjJE9v69W007cm4KWEYiF67GDkwYa+mBze+tG3lJknFUP7A3+U7ooGlatt 5wxngLIzl9i5bM9x2xeQmzue1xG3e+6j7xANG8O8a9aO08iDc/oSZN+4O3kkJhzf 7an7sq5rGQw= =P7az - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBPJcXrih9+71yA2DNAQHyvwP+Mfyz+/69NkVOeBI9LwdC1eclM5uAD15m 0YSaW1M4DOa+6Pnoy7+yKHlR1puhRguztxE8pOVAVF99MyPiQMrprR4BKOKtlowq 7GAP+k13vvkYFNpHuRV9Gz4s0lwUyVpwkQlx7Du4gMOT0hQPCemMODOKQTRmvPlQ PP6fM2NSha8= =tSbl -----END PGP SIGNATURE-----