Operating System:

[UNIX/Linux][LINUX][BSD][FreeBSD]

Published:

18 April 2002

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2002.189 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

              ESB-2002.189 -- FreeBSD-SA-02:18.zlib [REVISED]
                             zlib double-free
                               19 April 2002

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                zlib
Vendor:                 FreeBSD
Operating System:       FreeBSD
                        BSD
                        Linux
                        UNIX
Impact:                 Denial of Service
Access Required:        Remote

Ref:                    ESB-2002.142

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-02:18                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          zlib double-free

Category:       core, ports
Module:         zlib
Announced:      2002-03-18
Credits:        Matthias Clasen <maclas@gmx.de>
                Owen Taylor <otaylor@redhat.com>
Affects:        All released versions of FreeBSD
                FreeBSD 4.5-STABLE prior to the correction date
                Various ports using or including zlib
Corrected:      2002-02-24 23:12:48 UTC (RELENG_4)
                2002-02-24 23:22:57 UTC (RELENG_4_5)
                2002-02-24 23:23:58 UTC (RELENG_4_4)
                2002-02-24 23:24:46 UTC (RELENG_4_3)
CVE:            CAN-2002-0059
FreeBSD only:   NO

0.   Revision History

v1.0  2002-04-20  Initial release
v1.1  2002-04-25  Corrected ZFREE location in kernel patch
                  Corrected deflate window size check

I.   Background

zlib is a compression library used by numerous applications to provide
data compression/decompression routines.

II.  Problem Description

A programming error in zlib may cause segments of dynamically
allocated memory to be released more than once (double-freed).
If an attacker is able to pass a specially-crafted block of invalid
compressed data to a program that includes zlib, the program's
attempt to decompress the crafted data may cause the zlib routines
to attempt to free memory multiple times.

Unlike some implementations of malloc(3)/free(3), the malloc(3) and
free(3) routines used in FreeBSD (aka phkmalloc, written by
Poul-Henning Kamp <phk@FreeBSD.org>), are not vulnerable to this type
of bug.  From the author:

  Most mallocs keep their housekeeping data right next to the
  allocated range.  This gives rise to all sorts of unpleassant
  situations if programs stray outside the dotted line, free(3)
  things twice or free(3) modified pointers.

  phkmalloc(3) does not store housekeeping next to allocated data,
  and in particular it has code that detects and complains about
  exactly this kind of double free.

When attempting to double-free an area of memory, phkmalloc will
issue a warning:

  progname in free(): error: chunk is already free

and may call abort(3) if the malloc flag 'A' is used.

III. Impact

If an attacker is able to pass a specially-crafted block of invalid
compressed data to an application that utilizes zlib, the attempt to
decompress the data may cause incorrect operation of the application,
including possibly crashing the application.  Also, the malloc
implementation will issue warnings and, if the `A' malloc option is
used, cause the application to abort(3).  In short, an attacker may
cause a denial of service in applications utilizing zlib.

IV.  Workaround

To prevent affected programs from aborting, remove the 'A' from
the malloc flags.  To check which malloc flags are in use, issue the
following commands:

# ls -l /etc/malloc.conf
# echo $MALLOC_OPTIONS

A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable
means that no malloc flags are in use.  See the malloc(3) man page for
more information.

V.   Solution

[FreeBSD 4.x base system]

1) Upgrade your vulnerable system to 4.5-STABLE or to one of the
RELENG_4_4 or RELENG_4_5 security branches dated after the respective
correction dates.

2) To patch your present system: download the relevant patch from the
below location, and execute the following commands as root:

For FreeBSD 4.x systems that have the previous zlib patch applied:

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch.asc

For FreeBSD 4.x systems that do not have the previous zlib patch
applied:

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch.asc

Verify the detached PGP signature using your PGP utility.

This patch has been verified to apply to all FreeBSD 4.x versions.

# cd /usr/src
# patch -p < /path/to/patch
# cd lib/libz
# make depend && make all install

Then rebuild and reinstall your kernel as described in
http://www.freebsd.org/handbook/kernelconfig.html and reboot the
system with the new kernel for the changes to take effect.

[ports]

Various ports may statically link zlib or contain their own versions
of zlib that have not been corrected by updating the FreeBSD libz.
Efforts are underway to identify and correct these ports.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Path                                                             Revision
  Branch
- - -------------------------------------------------------------------------
src/lib/libz/deflate.c
  RELENG_4                                                        1.5.2.1
  RELENG_4_5                                                      1.5.8.1
  RELENG_4_4                                                      1.5.6.1
  RELENG_4_3                                                      1.5.4.1
src/lib/libz/infblock.c
  RELENG_4                                                    1.1.1.4.6.1
  RELENG_4_5                                                 1.1.1.4.12.1
  RELENG_4_4                                                 1.1.1.4.10.1
  RELENG_4_3                                                  1.1.1.4.8.1
src/sys/net/zlib.c
  RELENG_4                                                       1.10.2.3
  RELENG_4_5                                                     1.10.8.2
  RELENG_4_4                                                     1.10.6.2
  RELENG_4_3                                                     1.10.4.2
- - -------------------------------------------------------------------------

VII. References

<URL:http://online.securityfocus.com/archive/1/261205>

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0059 to this issue.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBPL7ZU1UuHi5z0oilAQFBSAQAjR7ddnCz9WUySoE3wxUtrrEyp5ZGw0cW
8PNIdu78zLdBYwAMr02ZPht+3tb1E3ycshO+MLhtW05SrDWPd5KIy6nk03AOjgB9
aKPs+B2NKN84W3udAtHaGYWL24ef8PJFJnna05oAiuXHrkCyHbMIB11RJ86ZJx3u
4DHKy14D8lE=
=EeE6
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBPL/4ECh9+71yA2DNAQGG1gQAlRRckiUo7obzqUmRcX75tZZNvsanzNEx
YB4VidsGSuduADcgmBlzTFUBk4wD5j6XiJhH/Qs6wD7SNajGFmwhsiYuq08V4iyM
mLBnrM2BBVw1yHsx4Z5QVlrrv1an1It4iBIi6pmZFbRu1SmOrp1j7pMxEkDGl/kp
rdm1KEE/FTo=
=DiC5
-----END PGP SIGNATURE-----