SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#368819

Double Free Bug in zlib Compression Library Corrupts malloc's Internal Data Structures

Overview

There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code.

It is important to note that the CERT/CC has not received any reports of exploitation of this bug. Based on the information available to us at this time, it is difficult to determine whether this bug can be successfully exploited. However, given the widespread deployment of zlib, we have published this document as a proactive measure.

I. Description

There is a bug in the decompression algorithm used by the popular zlib compression library. If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data can cause the zlib routines to corrupt the internal data structures maintained by malloc.

The bug results from a programming error that causes segments of dynamically allocated memory to be released more than once (i.e., "double-freed"). Specifically, when inftrees.c:huft_build() encounters the crafted data, it returns an unexpected Z_MEM_ERROR to inftrees.c:inflate_trees_dynamic(). When a subsequent call is made to infblock.c:inflate_blocks(), the inflate_blocks function tries to free an internal data structure a second time.

Because this bug interferes with the proper allocation and deallocation of dynamic memory, it may be possible for an attacker to influence the operation of programs that include zlib. In most circumstances, this influence will be limited to denial of service or information leakage, but it is theoretically possible for an attacker to insert arbitrary code into a running program. This code would be executed with the permissions of the vulnerable program.

II. Impact

This bug may introduce vulnerabilities into any program that includes the affected library. Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code.

III. Solution

Upgrade your version of zlib


The maintainers of zlib have released version 1.1.4 to address this vulnerability. Any software that is linked to or derived from an earlier version of zlib should be upgraded immediately. The latest version of zlib is available at http://www.zlib.org.

These are the MD5 checksums for zlib version 1.1.4:


The maintainers of zlib have published an advisory regarding this issue; for further information, please see

Apply a patch from your vendor

The zlib compression library is freely available and used by many vendors in a wide variety of applications. Any one of these applications may contain vulnerabilities that are introduced by this vulnerability. For the most recent information available to the CERT/CC, please see the vendor section of this document.

Systems Affected
VendorStatusDate NotifiedDate Updated
AOL Time WarnerUnknown6-Mar-2002
ApacheUnknown25-Mar-2002
Apple Computer Inc.Not Vulnerable11-Mar-2002
AT&TUnknown14-Mar-2002
BSDIUnknown11-Mar-2002
Cisco Systems Inc.Vulnerable3-Apr-2002
Compaq Computer CorporationVulnerable17-Oct-2002
Computer AssociatesUnknown14-Mar-2002
ConectivaVulnerable14-Jun-2002
Data GeneralUnknown25-Feb-2002
DebianVulnerable18-Mar-2002
F-SecureNot Vulnerable15-Mar-2002
FreeBSDVulnerable23-Apr-2002
FujitsuNot Vulnerable8-Mar-2002
Guardian Digital Inc. Vulnerable12-Mar-2002
Hewlett-Packard CompanyVulnerable24-Jan-2003
IBMVulnerable25-Jun-2002
Juniper NetworksVulnerable29-Mar-2002
libpng.orgUnknown14-Mar-2002
Lotus SoftwareUnknown14-Mar-2002
Lucent TechnologiesUnknown14-Mar-2002
MandrakeSoftVulnerable5-Jul-2002
Microsoft CorporationNot Vulnerable2-May-2002
MultinetUnknown14-Mar-2002
NEC CorporationUnknown29-Apr-2002
NetBSDVulnerable22-Mar-2002
Netscape Communications CorporationUnknown14-Mar-2002
Nortel NetworksUnknown14-Mar-2002
NovellVulnerable14-Apr-2002
OpenBSDVulnerable22-Mar-2002
OpenSSHVulnerable24-Jun-2002
Openwall GNU/*/LinuxVulnerable12-Mar-2002
Oracle CorporationUnknown14-Mar-2002
Red Hat Inc.Vulnerable14-Mar-2002
SequentUnknown25-Feb-2002
SGIVulnerable17-Apr-2003
SlackwareVulnerable15-Mar-2002
Sony CorporationUnknown25-Feb-2002
SSH Communications SecurityNot Vulnerable21-Mar-2002
Sun Microsystems Inc.Vulnerable17-Apr-2003
SuSE Inc.Vulnerable27-Jun-2002
The Open GroupUnknown29-Apr-2002
The SCO Group (SCO Linux)Vulnerable5-Apr-2002
The SCO Group (SCO UnixWare)Unknown25-Feb-2002
TrustixVulnerable18-Mar-2002
UnisysUnknown25-Feb-2002
Wind River Systems Inc.Unknown14-Mar-2002
XFree86Vulnerable11-Mar-2002
zlib.orgVulnerable8-Mar-2002

References


http://bugzilla.gnome.org/show_bug.cgi?id=70594
http://www.gzip.org/zlib/advisory-2002-03-11.txt
http://www.libpng.org/pub/png/pngapps.html
http://www.redhat.com/support/errata/RHSA-2002-026.html
http://www.securityfocus.com/bid/4267
http://securitytracker.com/alerts/2002/Mar/1003783.html
http://xforce.iss.net/xforce/xfdb/8427
http://www.ciac.org/ciac/bulletins/m-062.shtml

Credit

The CERT/CC thanks Owen Taylor and Mark Cox of Red Hat, Inc. for reporting this vulnerability. We also thank Mark Adler of zlib.org for contributing to our research and Matthias Clasen for contributing to the discovery of this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

Date Public:2002-03-11
Date First Published:2002-03-11
Date Last Updated:2005-07-08
CERT Advisory:CA-2002-07
CVE-ID(s):CVE-2002-0059
NVD-ID(s):CVE-2002-0059
US-CERT Technical Alerts: 
Metric:21.37
Document Revision:62

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2002 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader