發信人: tw-cert () 看板: security 日期: Mon Mar 18 19:28:27 2002 標題: TW-CA-2002-051-[CERT Advisory: CA-2002-07 Double Free Bug i TW-CA-2002-051-[CERT Advisory: CA-2002-07 Double Free Bug in zlib Compression Library] ------------------------------------------------------------------------------- TWCERT發布日期:2002-03-15 原漏洞發布日期:2002-03-12 分類:DoS, Gain Priviledge, Info Leak 來源參考:CERT Advisory ------ 簡述 ------------------------------------------------------------------- 在壓縮函式庫 zlib 中存在一個漏洞,任何使用 zlib 函式庫的程式可能因此而有安全漏 洞,使攻擊者可以發動阻斷攻擊(DoS)、取得資訊(information leakage) 或執行任意程式 碼。 請注意,目前 CERT/CC 並未收到任何因為該漏洞而被攻擊的報告。根據目前所獲得的資訊 ,很難判定該漏洞是否可被成功地用在攻擊上。然而,由於 zlib 函式庫被廣泛使用,因 此我們發佈這份文件作為預防措施(proactive measure)。 ------ 說明 ------------------------------------------------------------------- zlib 壓縮函式庫的解壓演算法中存有一個漏洞。若攻擊者可以傳給使用 zlib 函式庫的程 式一個含有特別設計區塊的無效壓縮資料,則當程式試圖解壓該區塊時,將導致 zlib 的 函式毀壞由 malloc 所維護的內部資料結構。 這個漏洞是由於程式設計錯誤所致,它會使動態取得的記憶區段被釋放一次以上(即 "double-freed")。特別是當 inftrees.c:huft_build() 收到該特製資料時,它會傳回一 個非預期的 Z_MEM_ERROR 給 inftrees.c:inflate_trees_dynamic()。 若隨即呼叫 infblock.c:inflate_blocks(),則 inflate_blocks 函式會試圖釋放內部資 料結構第二次。 由於這個漏動牽涉到動態記憶體的配置與釋放,攻擊者可能影響使用 zlib 程式的運作。 大部份情況下只會導致阻斷攻擊(DoS) 或資訊洩露(information leakage),但是理論上攻 擊者應可以在正在執行的程式中插入一些程式碼,而那些程式碼將以含有此安全漏洞的程 式的權限被執行。 CERT/CC 以 VU#368819 來持續追蹤這個漏洞,該編號對應的 CVE 編號為 CAN candidate CAN-2002-0059。 ------ 影響平台 --------------------------------------------------------------- - 任何軟體使用到 zlib 1.1.3 或更早版本可能都會受到影響。 - 任何以 zlib 1.1.3 或更早版本為開發基礎的資料壓縮演算法可能有相同的漏洞。 ------ 修正方式 --------------------------------------------------------------- - 升級 zlib 的版本 zlib 的維護者已釋出 1.1.4 版來處理這個安全弱點。任何軟體使用到 zlib 1.1.3 版或 更早版本,或是使用到以 zlib 1.1.3 版或更早版本為開發基礎的演算法都需升級。 最新版的 zlib 可由下列網址取得: http://www.zlib.org zlib 1.1.4 版的 MD5 checksums 如下: abc405d0bdd3ee22782d7aa20e440f08 zlib-1.1.4.tar.gz 9bf1d36ced334b0cf1f996f5c8171018 zlib114.zip - 由軟體廠商取得補強程式 zlib 壓縮函式庫是可免費取得的,並被許多廠商廣泛使用於各種應用軟體,這些軟體都 可能因為這個漏洞而有安全弱點。 各廠商對此漏洞所提供的資訊請見原文附錄A. ------ 影響結果 --------------------------------------------------------------- 這個漏洞可能導致任何使用該函式庫的程式含有安全弱點。根據程式中呼叫函式庫的方式 和時機的不同,可能產生阻斷攻擊(DoS)、資訊洩漏(information leakage) 或可被執行任 意程式碼等一到多個安全弱點。 ------ 連絡 TW-CERT ----------------------------------------------------------- Tel: 886-7-5250211 Fax: 886-7-5250212 886-2-23563303 886-2-23924082 Email: twcert@cert.org.tw URL: http://www.cert.org.tw/ PGP key: http://www.cert.org.tw/eng/pgp.htm =============================================================================== 附件:[CA-2002-07 Double Free Bug in zlib Compression Library] - ------ Overview ------------------------------------------------------------- There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code. It is important to note that the CERT/CC has not received any reports of exploitation of this bug. Based on the information available to us at this time, it is difficult to determine whether this bug can be successfully exploited. However, given the widespread deployment of zlib, we have published this document as a proactive measure. - ------ Description ---------------------------------------------------------- There is a bug in the decompression algorithm used by the popular zlib compression library. If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data can cause the zlib routines to corrupt the internal data structures maintained by malloc. The bug results from a programming error that causes segments of dynamically allocated memory to be released more than once (i.e., "double-freed"). Specifically, when inftrees.c:huft_build() encounters the crafted data, it returns an unexpected Z_MEM_ERROR to inftrees.c:inflate_trees_dynamic(). When a subsequent call is made to infblock.c:inflate_blocks(), the inflate_blocks function tries to free an internal data structure a second time. Because this bug interferes with the proper allocation and deallocation of dynamic memory, it may be possible for an attacker to influence the operation of programs that include zlib. In most circumstances, this influence will be limited to denial of service or information leakage, but it is theoretically possible for an attacker to insert arbitrary code into a running program. This code would be executed with the permissions of the vulnerable program. The CERT/CC is tracking this issue as VU#368819. This reference number corresponds to CVE candidate CAN-2002-0059. - ------ Platform ------------------------------------------------------------- * Any software that is linked to zlib 1.1.3 or earlier may be affected * Data compression libraries derived from zlib 1.1.3 or earlier may contain a similar bug - ------ Solution ------------------------------------------------------------- Upgrade your version of zlib The maintainers of zlib have released version 1.1.4 to address this vulnerability. Upgrade any software that is linked to or derived from an earlier version of zlib. The latest version of zlib is available at http://www.zlib.org These are the MD5 checksums for zlib version 1.1.4: abc405d0bdd3ee22782d7aa20e440f08 zlib-1.1.4.tar.gz 9bf1d36ced334b0cf1f996f5c8171018 zlib114.zip Apply a patch from your vendor The zlib compression library is freely available and used by many vendors in a wide variety of applications. Any one of these applications may contain vulnerabilities that are introduced by this vulnerability. Appendix A contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Please contact your vendor directly. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X and Mac OS X Server do not contain this vulnerability. Compaq Computer Corporation COMPAQ COMPUTER CORPORATION ----------------------------- x-ref: SSRT0818 zlib At the time of writing this document, Compaq continues to evaluate this potential problem and impacts to Compaq released software. Compaq will implement solutions based on the conclusion of this evaluation as necessary. Compaq will provide notice of any new patches as a result any required solution through standard patch notification procedures and be available from your normal Compaq Services support channel. COMPAQ COMPUTER CORPORATION ----------------------------- Conectiva Linux Conectiva Linux supported versions (5.0, 5.1, 6.0, 7.0, ferramentas graficas and ecomerce) are affected by the zlib vulnerability. Updates will be sent to our security mailing lists and be available at our ftp site and mirrors. The updates will include a new version of zlib itself and also other packages which include their own version of zlib or are linked statically to the system-wide copy of zlib. Engarde EnGarde Secure Linux Community and Professional are both vulnerable to the zlib bugs. Guardian Digital addressed this vulnerability in ESA-20020311-008 which may be found at: http://www.linuxsecurity.com/advisories/other_advisory-1960.html EnGarde Secure Professional users may upgrade their systems using the Guardian Digital Secure Network. FreeBSD FreeBSD is not vulnerable, as the FreeBSD malloc implementation detects and complains about several programming errors including this kind of double free. Fujitsu Fujitsu's UXP/V operating system is not affected by the zlib vulnerability because it does not support zlib. Hewlett-Packard Company HP is not vulnerable. IBM Corporation IBM's AIX operating system, version 5.1, ships with open source-originated zlib that is used with the Redhat Package Manager (rpm) to install applications that are included in the AIX-Linux Affinity Toolkit. zlib (libz.a) is a shared library in AIX. AIX 5.1 is susceptible to the described vulnerability. AIX 4.3.x does not ship with zlib, but customers who install zlib and use it will be similarly vulnerable. IBM will make the patched version of zlib available as soon as it is made available to us. OpenBSD OpenBSD is not vulnerable as OpenBSD's malloc implementation detects double freeing of memory. The zlib shipped with OpenBSD has been fixed in OpenBSD-current in January 2002. Openwall GNU/*/Linux All versions of Openwall GNU/*/Linux (Owl) prior to the 2002/02/15 Owl-current snapshot are affected by the zlib double-free vulnerability. Owl-current after 2002/02/15 includes the proper fixes in its userland packages. In order to not place the users of other vendors' products at additional risk, we have agreed to delay documenting this as a security change and including the fixes in Owl 0.1-stable until there's a coordinated public announcement. While we don't normally support this kind of a policy (releasing a fix before there's an announcement), this time handling the vulnerability in this way was consistent with the state of things by the time the (already publicly known) bug was first realized to be a security vulnerability. The zlib bug could affect the following Owl packages: gnupg, openssh, rpm, texinfo (not necessarily in a security sense). Of these, the OpenSSH could potentially allow for an active remote attack resulting in a root compromise. If only SSH protocol version 1 is allowed in the OpenSSH server this is reduced to a local attack, but reverse remote attack possibilities by a malicious server remain. Additionally, any third-party software that makes use of the provided zlib library could be affected. Parts of the Linux 2.2 kernel included in Owl were also affected by the vulnerability. Fortunately, those parts (Deflate compression support for PPP and the experimental Deflate compression extension to IrDA) are normally not used by the Owl userland. The bug has been corrected starting with Linux 2.2.20-ow2 which has been made public and a part of both Owl-current and Owl 0.1-stable on 2002/03/03. This change, however, will only be documented in the publicly-available change logs on the coordinated public announcement date. Red Hat, Inc. Red Hat Linux ships with a zlib library that is vulnerable to this issue. Although most packages in Red Hat Linux use the shared zlib library we have identified a number of packages that either statically link to zlib or contain an internal version of the zlib code. Updates to zlib and these packages as well as our advisory note are available from the following URL. Users of the Red Hat Network can use the up2date tool to automatically upgrade their systems. http://www.redhat.com/support/errata/RHSA-2002-026.html Red Hat would like to thank CERT/CC for their help in coordinating this issue with other vendors. SGI SGI acknowledges the zlib vulnerabilities reported by CERT and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/. XFree86 XFree86 versions 4.0 through 4.2.0 include zlib version 1.0.8. XFree86 3.x includes zlib version 1.0.4. The zlib code included with XFree86 is only used on some platforms. This is determined by the setting of HasZlib in the imake config files in the xc/config/cf source directory. If HasZlib is set to YES in the platform's vendor.cf file(s), then the system-provided zlib is used instead of the XFree86-provided version. XFree86 uses the system-provided zlib by default only on the following platforms: FreeBSD 2.2 and later NetBSD 1.2.2 and later OpenBSD Darwin Debian Linux The zlib code in XFree86 has been fixed in the CVS repository (trunk and the xf-4_2-branch branch) as of 14 February 2002. A source patch for XFree86 4.2.0 will be available from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/fixes/. The following XFree86 4.2.0 binary distributions provided by XFree86 include and use a vulnerable version of zlib: Linux-alpha-glibc22 Linux-ix86-glibc22 When updated binaries are available, it'll be documented at http://www.xfree86.org/4.2.0/UPDATES.html. To check if an installation of XFree86 includes zlib, see if the following file exists: /usr/X11R6/lib/libz.a To check if an XFree86 X server is dynamically linked with zlib, look for a line containing 'libz' in the output of 'ldd /usr/X11R6/bin/XFree86'. Various vendors repackage and distribute XFree86, and may use settings and configurations different from those described here. zlib.org All users of zlib versions 1.1.3 or earlier should obtain the latest version, 1.1.4 or later, from http://www.zlib.org, in order to avoid this vulnerability as well as other possible vulnerabilities in versions prior to 1.1.3 when decompressing invalid data. Appendix B. - References * http://bugzilla.gnome.org/show_bug.cgi?id=70594 * http://www.kb.cert.org/vuls/id/368819 * http://www.libpng.org/pub/png/pngapps.html * http://www.redhat.com/support/errata/RHSA-2002-026.html _________________________________________________________________ The CERT/CC thanks Owen Taylor and Mark Cox of Red Hat, Inc. for reporting this vulnerability. We also thank Mark Adler of zlib.org for contributing to our research and Matthias Clasen for contributing to the discovery of this vulnerability. _________________________________________________________________ This document was written by Jeffrey P. Lanza. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-07.html - ------ Impact --------------------------------------------------------------- This bug may introduce vulnerabilities into any program that includes the affected library. Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code. -- * Origin: 中山大學-美麗之島BBS * From: 140.117.101.140 [已通過認證] .