-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Zlib Advisory 2002-03-11
zlib Compression Library Corrupts malloc Data Structures via Double Free

Original release date: March 11, 2002
Last revised:          March 14, 2002


What it is:

There is a security vulnerability in zlib 1.1.3 that can be exploited by 
providing a specially crafted invalid compressed data stream to zlib's 
decompression routines that results in zlib attempting to free the same 
memory twice.  On many systems, freeing the same memory twice will crash 
the application.  Such "double free" vulnerabilities can be used in 
denial-of-service attacks, and it is remotely possible that the 
vulnerability could be exploited in some application to execute 
arbitrary code with that application's permissions.  There have been no 
reports of any exploitations of this problem, but the vulnerability 
exists nevertheless.


What to do:

A new version of zlib has been released, zlib 1.1.4, that eliminates
this possibility of a double-free, and thus eliminates the
vulnerability.  This new version is available in source form from
http://www.zlib.org with links to alternate download sites around the
world.  The file is zlib-1.1.4.tar.gz, and has the md5sum:
abc405d0bdd3ee22782d7aa20e440f08.

Applications linking statically with zlib 1.1.3 or earlier, or using
their own copy of zlib, must be recompiled even if you think your
system protects you from double frees.  Similarly, all systems that
provide zlib as a dynamic shared library should immediately update to
zlib 1.1.4 and applications using it should be restarted.  Early
versions of zlib up to 1.0.8 do not have this double free problem, but
have other problems that are fixed in later versions, so these early
versions must be upgraded as well.

For further instructions and vendor information, please read the CERT
Advisory CA-2002-07 at http://www.cert.org/advisories/CA-2002-07.html


How to know:

The use of zlib has apparently reached pandemic proportions.  :-)  
Before the research in February and March of 2002 on this vulnerability, 
even the authors of zlib had no clue how widespread the use of zlib has 
become.  It is not clear that even the CERT advisory will be seen by 
every application author that has used zlib.  You can find a partial 
list of zlib applications at http://www.gzip.org/zlib/apps.html and you 
can find vendor statements in the CERT advisory.  Those represent zlib 
applications that we know about.

So how do you know where else zlib is used and should be updated?  
Florian Weimer has generously provided a Perl script for just this 
purpose.  It can search executables for signatures of zlib's 
decompression code and report its presence.  That script is at 
http://CERT.Uni-Stuttgart.DE/files/fw/find-zlib, and any questions or 
suggestions on the script should be directed to Florian at 
Weimer@CERT.Uni-Stuttgart.DE.  If your vendor uses zlib and is not 
listed in the CERT advisory, then you should contact your vendor 
directly.


History and acknowledgments

Steven Sawkins provided the first report of the double-free problem in
zlib 1.1.3 to the authors of zlib, Mark Adler and Jean-loup Gailly.
Though not detected, this problem was first present in zlib 1.0.9
released on February 17, 1998. The problem was then reported by other
people but the zlib authors did not correctly appreciate the security
implications and thus the seriousness of this issue.

The most recent report was made by Owen Taylor on February 6, 2002,
after Matthias Clasen found an invalid PNG file crashing zlib.  It was
then pointed out by several people, including Mark Cox, that this
represented a serious security vulnerability, since double-frees had
been exploited in the past, and since zlib is in such widespread use.
This led to the release of zlib 1.1.4 on March 11, 2002 to eliminate
the vulnerability, and the release by Jeffrey Lanza of CERT Advisory
CA-2002-07 on March 12, 2002.

Mark Adler
Jean-loup Gailly


This document is available from
http://www.gzip.org/zlib/advisory-2002-03-11.txt

Revision history:
o March 11, 2002: initial version
o March 13, 2002: rewrite by Mark Adler
o March 14, 2002: add revision history and fix typo

The public PGP key of zlib author Jean-loup Gailly is available from
http://www.gzip.org/zlib/jloup.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8kPsg2aJ9JQGWcacRArDqAKCRPPH0rs3QexhXevSLdDHd8cqSQQCgjHns
sXopEyK7Jul/jRWnLYad6ck=
=EDIV
-----END PGP SIGNATURE-----