Vulnerability Note VU#368819

Double Free Bug in zlib Compression Library Corrupts malloc's Internal Data Structures

Original Release date: 11 Mar 2002 | Last revised: 08 Jul 2005

Overview

There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code.

It is important to note that the CERT/CC has not received any reports of exploitation of this bug. Based on the information available to us at this time, it is difficult to determine whether this bug can be successfully exploited. However, given the widespread deployment of zlib, we have published this document as a proactive measure.

Description

There is a bug in the decompression algorithm used by the popular zlib compression library. If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data can cause the zlib routines to corrupt the internal data structures maintained by malloc.

The bug results from a programming error that causes segments of dynamically allocated memory to be released more than once (i.e., "double-freed"). Specifically, when inftrees.c:huft_build() encounters the crafted data, it returns an unexpected Z_MEM_ERROR to inftrees.c:inflate_trees_dynamic(). When a subsequent call is made to infblock.c:inflate_blocks(), the inflate_blocks function tries to free an internal data structure a second time.

Because this bug interferes with the proper allocation and deallocation of dynamic memory, it may be possible for an attacker to influence the operation of programs that include zlib. In most circumstances, this influence will be limited to denial of service or information leakage, but it is theoretically possible for an attacker to insert arbitrary code into a running program. This code would be executed with the permissions of the vulnerable program.

Impact

This bug may introduce vulnerabilities into any program that includes the affected library. Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code.

Solution

Upgrade your version of zlib

The maintainers of zlib have released version 1.1.4 to address this vulnerability. Any software that is linked to or derived from an earlier version of zlib should be upgraded immediately. The latest version of zlib is available at http://www.zlib.org.

These are the MD5 checksums for zlib version 1.1.4:


The maintainers of zlib have published an advisory regarding this issue; for further information, please see

Apply a patch from your vendor

The zlib compression library is freely available and used by many vendors in a wide variety of applications. Any one of these applications may contain vulnerabilities that are introduced by this vulnerability. For the most recent information available to the CERT/CC, please see the vendor section of this document.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Cisco Systems Inc.Affected11 Mar 200203 Apr 2002
Compaq Computer CorporationAffected22 Feb 200217 Oct 2002
ConectivaAffected18 Feb 200214 Jun 2002
DebianAffected22 Feb 200218 Mar 2002
FreeBSDAffected22 Feb 200223 Apr 2002
Guardian Digital Inc. Affected11 Mar 200212 Mar 2002
Hewlett-Packard CompanyAffected22 Feb 200224 Jan 2003
IBMAffected22 Feb 200225 Jun 2002
Juniper NetworksAffected11 Mar 200229 Mar 2002
MandrakeSoftAffected22 Feb 200205 Jul 2002
NetBSDAffected22 Feb 200222 Mar 2002
NovellAffected12 Apr 200214 Apr 2002
OpenBSDAffected22 Feb 200222 Mar 2002
OpenSSHAffected22 Feb 200224 Jun 2002
Openwall GNU/*/LinuxAffected13 Feb 200212 Mar 2002
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Owen Taylor and Mark Cox of Red Hat, Inc. for reporting this vulnerability. We also thank Mark Adler of zlib.org for contributing to our research and Matthias Clasen for contributing to the discovery of this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

  • CVE IDs: CVE-2002-0059
  • CERT Advisory: CA-2002-07
  • Date Public: 11 Mar 2002
  • Date First Published: 11 Mar 2002
  • Date Last Updated: 08 Jul 2005
  • Severity Metric: 21.37
  • Document Revision: 62

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.