zlib 1.2.2 vulnerability

M

markus

Verified User
Joined
Nov 7, 2004
Messages
90
Location
Girona, Catalunya
zlib 1.2.2 vulnerability / 1.2.3 released!

zlib users,

zlib verison 1.2.3 has been released. It eliminates a newly discovered
security vulnerability in zlib 1.2.2 for which specially crafted
compressed input can cause inflate to overflow a fixed-size array in
the internal inflate data structure. All users of zlib 1.2.1 or 1.2.2
should upgrade to zlib 1.2.3. It is available here:

http://www.zlib.net/

For now, you should use the first link for each of the distribution
files, the one on zlib.net, as not all of the links work yet.

Mark Adler


_______________________________________________
Zlib-announce mailing list
[email protected]
http://madler.net/mailman/listinfo/zlib-announce_madler.net
Click to expand...

~~~~~~~~~~ Original Post ~~~~~~~~~~

Quoting from the zlib homepage:
IMPORTANT NOTE: (July 10, 2005) A new security vulnerability has been discovered in which specially crafted input files can cause inflate to overwrite memory that follows the internal inflate state. This can cause the application to crash depending on what is overwritten. This vulnerability only affects versions 1.2.1 and 1.2.2. of zlib. Earlier versions, e.g. 1.1.4, are not affected.

A new version of zlib will be released soon to address this issue. Stay tuned.
Click to expand...
The latest version is still 1.2.2, which is the one installed by DA.

I would recommend to subscribe to the zlib announcements mailing list, just in case:
http://zlib.net/mailman/listinfo/zlib-announce_madler.net

I have also found an interesting page which describes how to identify program binaries which include statically linked copies of zlib:

http://www.enyo.de/fw/security/zlib-fingerprint/


Cheers
 
Last edited:
Upgraded my RHEL and working like a charm :)

In my phpInfo I found zlib was being used by curl and libpng, which is used by GD, which is used by PHP...

This is what I did.

wget http://www.zlib.net/zlib-1.2.3.tar.gz

vi build
find: ZLIB_VER=1.2.2
replace with: ZLIB_VER=1.2.3

./build clean
./build php y


Now, I'll see how to install ClamAV to check if it statically linked somewhere else (as described in previous posts)...
 
Originally posted by markus

Now, I'll see how to install ClamAV to check if it statically linked somewhere else (as described in previous posts)...
Click to expand...

Well, running clamscan to check the signatures in zlib.db it reported:

/usr/bin/rsync: ZLIB.zlib-1.0.5-1.1.5e FOUND
/usr/bin/doxygen: ZLIB.zlib-1.0.5-1.1.5e FOUND
/usr/bin/mysqltest: ZLIB.zlib-1.0.5-1.1.5e FOUND
/usr/bin/mysql: ZLIB.zlib-1.0.5-1.1.5e FOUND
/usr/bin/mysqladmin: ZLIB.zlib-1.0.5-1.1.5e FOUND
/usr/bin/mysqlbinlog: ZLIB.zlib-1.0.5-1.1.5e FOUND
/usr/bin/mysqlcheck: ZLIB.zlib-1.0.5-1.1.5e FOUND
/usr/bin/mysqldump: ZLIB.zlib-1.0.5-1.1.5e FOUND
/usr/bin/mysqlimport: ZLIB.zlib-1.0.5-1.1.5e FOUND
/usr/bin/mysqlshow: ZLIB.zlib-1.0.5-1.1.5e FOUND

I'm running RedHat Enterprise and I've found all those packages use the zlib-1.1.4 RPM provided by RHN, which AFAIK is NOT vulnerable.

So I guess I'm done here.
 
On FreeBSD I have updated using this way:

# cd /usr/local/directadmin/customapache
# ./build clean
# fetch http://www.zlib.net/zlib-1.2.3.tar.gz
# ee build

Replace "ZLIB_VER=1.2.2" with "ZLIB_VER=1.2.3"

# ./build php y
# ./build clean
# /usr/local/etc/rc.d/httpd restart

Then I have run a phpinfo.
Results:

libcurl/7.13.0 OpenSSL/0.9.7e zlib/1.2.1

ZLib Support enabled
Compiled Version 1.2.3
Linked Version 1.2.1
Click to expand...

Does someone know how I can link the new version? And how I can see witch other things are also linked to old versions?

Thanks!
 
Last edited:
In the customapache folder, check your configure.php file contains the correct path to the zlib libraries.

I have the following on mine:

--with-zlib \
--with-zlib-dir=/usr/local/lib \
 
markus said:
In the customapache folder, check your configure.php file contains the correct path to the zlib libraries.

I have the following on mine:

--with-zlib \
--with-zlib-dir=/usr/local/lib \
Click to expand...

That's ok already...
 
Good luck on that one!
Go to your shell and type
#php -i

You'll see that everything is all right with both cURL and zlib.

I think it's related to Apache or some of its modules or maybe it's a PHP bug on FreeBSD?
 
LOL, strange...:D
But okay, it seems to be okay.

This is all I should do? Isn't it possible there are more files/programs linked to old versions? And if it is, is there a possibility to search for this files? Thanks for your help!
 
Maybe your zlib was not rebuilt correctly...

Check your /usr/local/lib directory for libz.so* files. If that helps, on mine, it looks like this:

ls -la /usr/local/lib/libz.so*

lrwxrwxrwx 1 root root 13 Jul 22 05:24 /usr/local/lib/libz.so -> libz.so.1.2.3
lrwxrwxrwx 1 root root 13 Jul 22 05:24 /usr/local/lib/libz.so.1 -> libz.so.1.2.3
-rwxr-xr-x 1 root root 70450 Jul 11 15:52 /usr/local/lib/libz.so.1.2.1
-rwxr-xr-x 1 root root 70646 Jul 11 16:17 /usr/local/lib/libz.so.1.2.2
-rwxr-xr-x 1 root root 74668 Jul 22 05:24 /usr/local/lib/libz.so.1.2.3

edited: Ah, ok I' read your previous post now. To check for programs using statically linked zlib libraries try the ClamAV tip described on top of this thread.
 
Last edited:
Ah, didn't see that tip :D

# clamscan -d zlib.db -i -r /usr/local/bin
/usr/local/bin/webalizer: ZLIB.zlib-1.0.5-1.1.5e FOUND

----------- SCAN SUMMARY -----------
Known viruses: 26
Engine version: 0.86.1
Scanned directories: 2
Scanned files: 145
Infected files: 1
Data scanned: 21.23 MB
Time: 1.997 sec (0 m 1 s)
Click to expand...

So, all should be okay on my system now, right?
 
héhé....;)

check /lib, /usr/lib and /usr/local/lib just to make sure.

Or this one:
/usr/local/Zend/lib/
 
Last edited:
You must log in or register to reply here.
Back
Top