SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Zlib Vendors:   [Multiple Authors/Vendors]
(Sun Issues Preliminary T-patches) Re: 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code
SecurityTracker Alert ID:  1003937
SecurityTracker URL:  http://securitytracker.com/id/1003937
CVE Reference:   CAN-2002-0059   (Links to External Site)
Date:  Apr 1 2002
Impact:   Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.1.3
Description:   A vulnerability was reported in the zlib shared library, a widely used library that provides in-memory compress and decompression functions. A remote user could cause programs using this library to crash or to execute arbitrary code on the system.

It is reported that certain types of input will cause zlib to free the same area of memory twice (i.e., perform a "double free"), resulting in a buffer overflow condition when expanding compressed input. A remote user can cause programs that process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.

It is reported that web browsers or email programs that display image attachments or other programs that uncompress data may be particularly affected.

It is reported that Matthias Clasen <maclas@gmx.de> and Owen Taylor <otaylor@redhat.com> discovered this bug.

Impact:   A remote user can cause affected programs that use zlib to process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.
Solution:   Sun has issued a preliminary fix and has indicated that a final solution is pending.

Preliminary T-patches are available for the following releases from:

http://sunsolve.sun.com/tpatches

SPARC

Open Windows 3.6.1 (for Solaris 7) T-patch T108376-37.tar.Z
Open Windows 3.6.2 (for Solaris 8) T-patch T108652-51.tar.Z
Solaris 8 T-patch T112611-01.tar.Z

Intel

Open Windows 3.6.1 (for Solaris 7) T-patch T108377-33.tar.Z
Open Windows 3.6.2 (for Solaris 8) T-patch T108653-41.tar.Z
Solaris 8 T-patch T112612-01.tar.Z

Sun has also issued the following disclaimer:

"This document refers to one or more preliminary temporary patches (T-patches) which are designed to address the concerns identified herein. Sun has limited experience with these patches due to their preliminary nature. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patches."

Vendor URL:  www.gzip.org/zlib/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (Solaris - SunOS)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 11 2002 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code



 Source Message Contents

Date:  Mon, 01 Apr 2002 01:10:00 -0500
Subject:  Security issue with zlib (libz(3)) in Solaris and OpenWindows


DOCUMENT ID: 43541 
SYNOPSIS: Security issue with zlib (libz(3)) in Solaris and OpenWindows 
DETAIL DESCRIPTION: 

Sun(sm) Alert Notification 

     Sun Alert ID: 43541 

     Synopsis: Security issue with zlib (libz(3)) in Solaris and
OpenWindows 

     Category: Security 

     Product: Solaris, OpenWindows 
     BugIDs: 4644966, 4644859 
     Avoidance: Workaround, T-Patch 

     State: Committed 
     Date Released: 28-Mar-2002 
     Date Closed: 
     Date Modified: 

1. Impact 

Depending upon how and where the zlib routines are called from an
application which links with zlib, the resulting vulnerability may
result in a denial of service, information leakage, or execution of
arbitrary code. 

A large number of free applications and libraries have been identified
as using zlib at http://www.gzip.org/zlib/apps.html. Some of this
freeware is shipped on the Solaris 8 Software Companion CD. 

This issue is described in the CERT Vulnerability VU#368819 (see
http://www.kb.cert.org/vuls/id/368819) which is referenced in CA-2002-07
(see http://www.cert.org/advisories/CA-2002-07.html). 

2. Contributing Factors 

This issue can occur in the following releases: 

SPARC 

     Open Windows 3.6.1 (for Solaris 7) with the following patches: 

                107648-02 through 107648-09
                or
                107078-19
                or
                108376-01 through 108376-36                        

     Open Windows 3.6.2 (for Solaris 8) 
     Solaris 8 

Intel 

     Open Windows 3.6.1 (for Solaris 7) with the following patches: 

                107649-02 through 107649-09
                or
                107079-18
                or
                108377-01 through 108377-32                        

     Open Windows 3.6.2 (for Solaris 8) 
     Solaris 8 

Notes: The vulnerable OpenWindows library (libz) was introduced into
OpenWindows 3.6.1 in the feature patches listed above.
Prior to installing the feature patch, OpenWindows 3.6.1 was not
vulnerable. 

Solaris 7 and earlier are not vulnerable to this issue as the Solaris
libz library was not shipped in Solaris 7 and earlier. 

3. Symptoms 

An application which links with zlib may be able to be killed when
handling untrusted zipped input. There are no reliable symptoms to show
arbitrary code has been inserted into a running program linked with zlib
and executed. 


SOLUTION SUMMARY: 

4. Relief/Workaround 

Preliminary T-patches are available for the following releases from: 

     http://sunsolve.sun.com/tpatches 

SPARC 

     Open Windows 3.6.1 (for Solaris 7) T-patch T108376-37.tar.Z 
     Open Windows 3.6.2 (for Solaris 8) T-patch T108652-51.tar.Z 
     Solaris 8 T-patch T112611-01.tar.Z 

Intel 

     Open Windows 3.6.1 (for Solaris 7) T-patch T108377-33.tar.Z 
     Open Windows 3.6.2 (for Solaris 8) T-patch T108653-41.tar.Z 
     Solaris 8 T-patch T112612-01.tar.Z 

This document refers to one or more preliminary temporary patches
(T-patches) which are designed to address the concerns identified
herein. Sun has limited experience with these patches due to their
preliminary nature. Sun may release full patches at a later date,
however, Sun is under no obligation whatsoever to create, release, or
distribute any such patches. 

5. Resolution 

A final solution is pending completion. 

This Sun Alert notification is being provided to you on an "AS IS"
basis. Sun makes no representations, warranties, or guaranties as to the
quality, suitability, truth, accuracy or completeness of any of the
information contained herein. This Sun Alert notification may contain
information provided by third parties. ANY AND ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY
DISCLAIMED. The issues described in this Sun Alert notification may or
may not impact your system(s). 

BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL
DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION
CONTAINED HEREIN. 

This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your Confidential Disclosure Agreement or the confidentiality provisions
of your agreement to purchase services from Sun. In the event that you
do not have one of the above-referenced agreements with Sun, this
information is provided pursuant to the confidentiality provisions of
the Sun.com Terms of Use. This Sun Alert notification may only be used
for the purposes contemplated by these agreements. 

Copyright 2001, 2002 Sun Microsystems, Inc., 901 San Antonio Road, Palo
Alto, CA 94303 U.S.A. All rights reserved.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC