Feeds

*Nix security pandemic – major zlib/libz vuln

It's inside the walls, under the rug, in the ventilator shafts...

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

A flaw in the zlib/libz data compression/decompression libraries could enable an attacker to mount a denial of service attack against any Linux or AIX firewall, database server, mail or Web server. It's also possible that arbitrary code could be run on a remote machine.

Because these shared libraries are used by hundreds of packages on numerous platforms, the bug is on a par with the DHCP, SNMP and Sun vulnerabilities recently reported.

The problem here is a stuff-up in a decompression routine which can corrupt the internal data structures of malloc by a double call to the free() function (double-free), discovered by Matthias Clasen. This enables memory space to be cleared twice, and can crash virtually any program.

At the moment there are no known exploits circulating, but of course it's only a matter of time before there will be.

There is no workaround, but most if not all vendors have fixes. Unfortunately, this will apply only to the library on a given system. Apps that link to it dynamically will of course be safe to run after patching, but there are hundreds of apps and services which link statically to or contain implementations of the old code, and these will of course have to be fixed individually.

The Linux kernel also uses the compression library, in the ppp layer and the freeswan IPSec kernel module.

Other apps/services which contain the old code include:

gcc 3.0
gpg
rsync
cvs
rrdtool
freeamp
Netscape (fix in the works)
ssh
vnc
XFree86

A number of these packages (except Netscape) will have been rebuilt either to link dynamically or with their own code updated, but this varies from vendor to vendor. Check with your vendor for the appropriate patches. Once they're installed, it will be necessary to recompile your kernel (if you have the relevant update package) or update the relevant modules. Any apps you built using the old code will have to be recompiled. Generally speaking, you should substitute apps which link dynamically to zlib/libz for ones that link statically or are based on the old code.

Be sure to test all patches thoroughly before integrating them into critical systems.

The repaired zlib version 1.1.4 can be downloaded from zlib.org. CERT has a bulletin with a list of currently-known vulnerable systems, but the list of unknowns is still quite large. However, CERT has proven to be fastidious about updating their advisories as new information becomes available, so do check back regularly.

We'll update this item as soon as we get better information. Data is a bit sketchy at the moment, and we've found some contradictory details in the various vendors' bulletins. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
HP busts out new ProLiant Gen9 servers
Think those are cool? Wait till you get a load of our racks
Like condoms, data now comes in big and HUGE sizes
Linux Foundation lights a fire under storage devs with new conference
Silicon Valley jolted by magnitude 6.1 quake – its biggest in 25 years
Did the earth move for you at VMworld – oh, OK. It just did. A lot
Community chest: Storage firms need to pay open-source debts
Samba implementation? Time to get some devs on the job
Forrester says it's time to give up on physical storage arrays
The physical/virtual storage tipping point may just have arrived
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?