Feeds

*Nix security pandemic – major zlib/libz vuln

It's inside the walls, under the rug, in the ventilator shafts...

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

A flaw in the zlib/libz data compression/decompression libraries could enable an attacker to mount a denial of service attack against any Linux or AIX firewall, database server, mail or Web server. It's also possible that arbitrary code could be run on a remote machine.

Because these shared libraries are used by hundreds of packages on numerous platforms, the bug is on a par with the DHCP, SNMP and Sun vulnerabilities recently reported.

The problem here is a stuff-up in a decompression routine which can corrupt the internal data structures of malloc by a double call to the free() function (double-free), discovered by Matthias Clasen. This enables memory space to be cleared twice, and can crash virtually any program.

At the moment there are no known exploits circulating, but of course it's only a matter of time before there will be.

There is no workaround, but most if not all vendors have fixes. Unfortunately, this will apply only to the library on a given system. Apps that link to it dynamically will of course be safe to run after patching, but there are hundreds of apps and services which link statically to or contain implementations of the old code, and these will of course have to be fixed individually.

The Linux kernel also uses the compression library, in the ppp layer and the freeswan IPSec kernel module.

Other apps/services which contain the old code include:

gcc 3.0
gpg
rsync
cvs
rrdtool
freeamp
Netscape (fix in the works)
ssh
vnc
XFree86

A number of these packages (except Netscape) will have been rebuilt either to link dynamically or with their own code updated, but this varies from vendor to vendor. Check with your vendor for the appropriate patches. Once they're installed, it will be necessary to recompile your kernel (if you have the relevant update package) or update the relevant modules. Any apps you built using the old code will have to be recompiled. Generally speaking, you should substitute apps which link dynamically to zlib/libz for ones that link statically or are based on the old code.

Be sure to test all patches thoroughly before integrating them into critical systems.

The repaired zlib version 1.1.4 can be downloaded from zlib.org. CERT has a bulletin with a list of currently-known vulnerable systems, but the list of unknowns is still quite large. However, CERT has proven to be fastidious about updating their advisories as new information becomes available, so do check back regularly.

We'll update this item as soon as we get better information. Data is a bit sketchy at the moment, and we've found some contradictory details in the various vendors' bulletins. ®

Intelligent flash storage arrays

More from The Register

next story
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
DEATH by COMMENTS: WordPress XSS vuln is BIGGEST for YEARS
Trio of XSS turns attackers into admins
SanDisk vows: We'll have a 16TB SSD WHOPPER by 2016
Flash WORM has a serious use for archived photos and videos
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.