[ale] zlib security problem (question)
James P. Kinney III
jkinney at localnetsolutions.com
Mon Mar 11 19:21:04 EST 2002
This is not a major hole for servers that send out compressed data. It
is a disaster hole for workstations. Unless your servers are receiving
data as well as sending, this is not a major problem for you then. It
would still be prudent to upgrade the affected zlib and other statically
compiled binaries. There are a bunch of things that are compiled against
the broken zlib that I am concerned about. Openssh is also compiled
against zlib so server control is affected.
rpm -ql zlib
/usr/lib/libz.so.1
rpm -qlR openssh
rpmlib(VersionedDependencies) <= 3.0.3-1
openssl >= 0.9.5a
openssl = 0.9.6b
openssl >= 0.9.5a
rpm >= 3.0.5
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
ld-linux.so.2
libcrypto.so.2
libc.so.6
libdl.so.2
libnsl.so.1
libutil.so.1
libz.so.1
AAAARRRRGGGGHHHHH!!!!!
Openssl does not depend on zlib.
On Mon, 2002-03-11 at 16:53, jenn at colormaria.com wrote:
> Re-reading the advisory, I understand how this could affect my workstation
> because I routinely hit potentially untrusted sites with my browser and
> expect that all is well.
>
> How would a remote attacker exploit a buffer overflow of this nature on a
> server? My servers don't run X or mozilla, and as far as I know, exist only
> to serve requests from untrusted sources, not recieve information other than
> whatever is in the request. Can a malicious packet take advantage of this
> bug, potentially? I realise there are no published exploits for this yet,
> I'm asking more about the theory behind such an attack rather than specifics
> on this particular bug.
>
> TIA
> jenn
>
>
> > From slashdot come distressing news:
> >
> > "CNET is reporting that there is a buffer overflow problem with zlib
> > in linux, which is used for network compression. Supposedly, someone
> > could remotely cause a buffer overflow through mozilla, X11 and many
> > other programs." The advisory from Red Hat is available.
> >
> > http://www.linuxsecurity.com/advisories/redhat_advisory-1963.html has
> > the advisory and links to the update packages for RedHat. I'm not sure
> > if this is RedHat specific (I don't think so), but the security
> > implications of hitting a crafted png image on a website and having a
> > backdoor inserted is very unnerving.
> > --
> > James P. Kinney III \Changing the mobile computing world/
> > President and COO \ one Linux user /
> > Local Net Solutions,LLC \ at a time. /
> > 770-493-8244 \.___________________________./
> >
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>
>
>
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> sent to listmaster at ale dot org.
>
--
James P. Kinney III \Changing the mobile computing world/
President and COO \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
This is a digitally signed message part
More information about the Ale
mailing list