-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Zlib Advisory 2002-03-11 zlib Compression Library Corrupts malloc Data Structures via Double Free Original release date: March 11, 2002 Last revised: March 14, 2002 What it is: There is a security vulnerability in zlib 1.1.3 that can be exploited by providing a specially crafted invalid compressed data stream to zlib's decompression routines that results in zlib attempting to free the same memory twice. On many systems, freeing the same memory twice will crash the application. Such "double free" vulnerabilities can be used in denial-of-service attacks, and it is remotely possible that the vulnerability could be exploited in some application to execute arbitrary code with that application's permissions. There have been no reports of any exploitations of this problem, but the vulnerability exists nevertheless. What to do: A new version of zlib has been released, zlib 1.1.4, that eliminates this possibility of a double-free, and thus eliminates the vulnerability. This new version is available in source form from http://www.zlib.org with links to alternate download sites around the world. The file is zlib-1.1.4.tar.gz, and has the md5sum: abc405d0bdd3ee22782d7aa20e440f08. Applications linking statically with zlib 1.1.3 or earlier, or using their own copy of zlib, must be recompiled even if you think your system protects you from double frees. Similarly, all systems that provide zlib as a dynamic shared library should immediately update to zlib 1.1.4 and applications using it should be restarted. Early versions of zlib up to 1.0.8 do not have this double free problem, but have other problems that are fixed in later versions, so these early versions must be upgraded as well. For further instructions and vendor information, please read the CERT Advisory CA-2002-07 at http://www.cert.org/advisories/CA-2002-07.html How to know: The use of zlib has apparently reached pandemic proportions. :-) Before the research in February and March of 2002 on this vulnerability, even the authors of zlib had no clue how widespread the use of zlib has become. It is not clear that even the CERT advisory will be seen by every application author that has used zlib. You can find a partial list of zlib applications at http://www.gzip.org/zlib/apps.html and you can find vendor statements in the CERT advisory. Those represent zlib applications that we know about. So how do you know where else zlib is used and should be updated? Florian Weimer has generously provided a Perl script for just this purpose. It can search executables for signatures of zlib's decompression code and report its presence. That script is at http://CERT.Uni-Stuttgart.DE/files/fw/find-zlib, and any questions or suggestions on the script should be directed to Florian at Weimer@CERT.Uni-Stuttgart.DE. If your vendor uses zlib and is not listed in the CERT advisory, then you should contact your vendor directly. History and acknowledgments Steven Sawkins provided the first report of the double-free problem in zlib 1.1.3 to the authors of zlib, Mark Adler and Jean-loup Gailly. Though not detected, this problem was first present in zlib 1.0.9 released on February 17, 1998. The problem was then reported by other people but the zlib authors did not correctly appreciate the security implications and thus the seriousness of this issue. The most recent report was made by Owen Taylor on February 6, 2002, after Matthias Clasen found an invalid PNG file crashing zlib. It was then pointed out by several people, including Mark Cox, that this represented a serious security vulnerability, since double-frees had been exploited in the past, and since zlib is in such widespread use. This led to the release of zlib 1.1.4 on March 11, 2002 to eliminate the vulnerability, and the release by Jeffrey Lanza of CERT Advisory CA-2002-07 on March 12, 2002. Mark Adler Jean-loup Gailly This document is available from http://www.gzip.org/zlib/advisory-2002-03-11.txt Revision history: o March 11, 2002: initial version o March 13, 2002: rewrite by Mark Adler o March 14, 2002: add revision history and fix typo The public PGP key of zlib author Jean-loup Gailly is available from http://www.gzip.org/zlib/jloup.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8kPsg2aJ9JQGWcacRArDqAKCRPPH0rs3QexhXevSLdDHd8cqSQQCgjHns sXopEyK7Jul/jRWnLYad6ck= =EDIV -----END PGP SIGNATURE-----