[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] zlib security problem (question)



This is not a major hole for servers that send out compressed data. It
is a disaster hole for workstations. Unless your servers are receiving
data as well as sending, this is not a major problem for you then. It
would still be prudent to upgrade the affected zlib and other statically
compiled binaries. There are a bunch of things that are compiled against
the broken zlib that I am concerned about. Openssh is also compiled
against zlib so server control is affected.

 rpm -ql zlib
/usr/lib/libz.so.1

rpm -qlR openssh               
rpmlib(VersionedDependencies) <= 3.0.3-1
openssl >= 0.9.5a
openssl = 0.9.6b
openssl >= 0.9.5a
rpm >= 3.0.5
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
ld-linux.so.2  
libcrypto.so.2  
libc.so.6  
libdl.so.2  
libnsl.so.1  
libutil.so.1  
libz.so.1  

AAAARRRRGGGGHHHHH!!!!!

Openssl does not depend on zlib.

On Mon, 2002-03-11 at 16:53, jenn at colormaria.com wrote:
> Re-reading the advisory, I understand how this could affect my workstation
> because I routinely hit potentially untrusted sites with my browser and
> expect that all is well.  
> 
> How would a remote attacker exploit a buffer overflow of this nature on a
> server?  My servers don't run X or mozilla, and as far as I know, exist only
> to serve requests from untrusted sources, not recieve information other than
> whatever is in the request.  Can a malicious packet take advantage of this
> bug, potentially?  I realise there are no published exploits for this yet,
> I'm asking more about the theory behind such an attack rather than specifics
> on this particular bug.  
> 
> TIA
> jenn
> 
> 
> > From slashdot come distressing news:
> > 
> >  "CNET is reporting that there is a buffer overflow problem  with zlib
> > in linux, which is used for network compression. Supposedly, someone
> > could remotely cause a buffer overflow through mozilla, X11 and many
> > other programs." The advisory from Red Hat is available.
> > 
> > http://www.linuxsecurity.com/advisories/redhat_advisory-1963.html has
> > the advisory and links to the update packages for RedHat. I'm not sure
> > if this is RedHat specific (I don't think so), but the security
> > implications of hitting a crafted png image on a website and having a
> > backdoor inserted is very unnerving.
> > -- 
> > James P. Kinney III   \Changing the mobile computing world/
> > President and COO      \          one Linux user         /
> > Local Net Solutions,LLC \           at a time.          /
> > 770-493-8244             \.___________________________./
> > 
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 
> 
> 
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part