Feeds

*Nix security pandemic – major zlib/libz vuln

It's inside the walls, under the rug, in the ventilator shafts...

  • alert
  • submit to reddit

Build a business case: developing custom apps

A flaw in the zlib/libz data compression/decompression libraries could enable an attacker to mount a denial of service attack against any Linux or AIX firewall, database server, mail or Web server. It's also possible that arbitrary code could be run on a remote machine.

Because these shared libraries are used by hundreds of packages on numerous platforms, the bug is on a par with the DHCP, SNMP and Sun vulnerabilities recently reported.

The problem here is a stuff-up in a decompression routine which can corrupt the internal data structures of malloc by a double call to the free() function (double-free), discovered by Matthias Clasen. This enables memory space to be cleared twice, and can crash virtually any program.

At the moment there are no known exploits circulating, but of course it's only a matter of time before there will be.

There is no workaround, but most if not all vendors have fixes. Unfortunately, this will apply only to the library on a given system. Apps that link to it dynamically will of course be safe to run after patching, but there are hundreds of apps and services which link statically to or contain implementations of the old code, and these will of course have to be fixed individually.

The Linux kernel also uses the compression library, in the ppp layer and the freeswan IPSec kernel module.

Other apps/services which contain the old code include:

gcc 3.0
gpg
rsync
cvs
rrdtool
freeamp
Netscape (fix in the works)
ssh
vnc
XFree86

A number of these packages (except Netscape) will have been rebuilt either to link dynamically or with their own code updated, but this varies from vendor to vendor. Check with your vendor for the appropriate patches. Once they're installed, it will be necessary to recompile your kernel (if you have the relevant update package) or update the relevant modules. Any apps you built using the old code will have to be recompiled. Generally speaking, you should substitute apps which link dynamically to zlib/libz for ones that link statically or are based on the old code.

Be sure to test all patches thoroughly before integrating them into critical systems.

The repaired zlib version 1.1.4 can be downloaded from zlib.org. CERT has a bulletin with a list of currently-known vulnerable systems, but the list of unknowns is still quite large. However, CERT has proven to be fastidious about updating their advisories as new information becomes available, so do check back regularly.

We'll update this item as soon as we get better information. Data is a bit sketchy at the moment, and we've found some contradictory details in the various vendors' bulletins. ®

Boost IT visibility and business value

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft: Azure isn't ready for biz-critical apps … yet
Microsoft will move its own IT to the cloud to avoid $200m server bill
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
Cutting cancer rates: Data, models and a happy ending?
How surgery might be making cancer prognoses worse
Silicon Valley jolted by magnitude 6.1 quake – its biggest in 25 years
Did the earth move for you at VMworld – oh, OK. It just did. A lot
VMware's high-wire balancing act: EVO might drag us ALL down
Get it right, EMC, or there'll be STORAGE CIVIL WAR. Mark my words
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?