Closed Bug 299445 Opened 19 years ago Closed 19 years ago

zlib buffer overflow

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: taviso, Assigned: benjamin)

References

(
URL
)

Details

(Whiteboard: [sg:fix] trunk only, landed in modules/zlib and NSS)

Attachments

(1 file, 1 obsolete file)

explanation and proposed patch
3.47 KB, text/plain
darin.moz
: review+
chase
: superreview+
dveditz
: approval-aviary1.0.5-
dveditz
: approval1.7.9-
chase
: approval1.8b3+
Details 
I've discovered a deflate data stream that causes zlib to overwrite the bounds 
of an array, I believe this to be potentially exploitable under certain 
conditions to execute arbitrary code. Mark Adler, co-author of zlib, has 
provided the detailed explanation and proposed patch attached.

Please try to load the png or php files in the URL field for a testcase.

As mozilla bundles it's own distribution of zlib, I expect this will have to be 
fixed independently of the system zlib.
Flags: blocking1.8b3?
Flags: blocking1.7.9?
Flags: blocking-aviary1.0.5?

    
  

        Attachment #188021 -
        Flags: superreview?(dveditz)

        Attachment #188021 -
        Flags: review?(darin)

        Attachment #188021 -
        Flags: approval1.8b3?

        Attachment #188021 -
        Flags: approval1.7.9?

        Attachment #188021 -
        Flags: approval-aviary1.0.5?

    
    

    
  
There doesn't appear to be similar code in our version of zlib (1.1.4), in fact
the stylistic differences are so great it's hard to believe it's from the same
library. Does that mean we're not vulnerable, or just that we need a different
patch?

    
    

    
  
hm? the code at least on trunk looks basically identical (I think indentation is
a bit off, so the patch does not apply directly). Did we update zlib on trunk,
but not on branch, maybe?

    
    

    
  
(In reply to comment #2)
> our version of zlib (1.1.4)

Oops, I was looking at a branch tree. I guess my question still stands though --
do the differences mean the branch is not vulnerable, or do we need something
different to fix 1.1.4?

The attached patch looks good for the trunk.


Flags: blocking1.8b3? → blocking1.8b3+
Whiteboard: [sg:fix] may be trunk only

    
  
Flags: blocking-aviary1.0.6?
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5-

    
  

        Attachment #188021 -
        Flags: review?(darin) → review+

    
    

    
  
The aviary/1.7 branches (zlib 1.1.4) handle the testcases fine.
Flags: blocking1.7.9?
Flags: blocking1.7.9-
Flags: blocking-aviary1.0.6?
Flags: blocking-aviary1.0.6-

    
    

    
  
Comment on attachment 188021 [details]
explanation and proposed patch

Per 1.1a2 meeting, dveditz granted sr on this patch for trunk landing. 
Granting approval for it to land there.

        Attachment #188021 -
        Flags: superreview?(dveditz)

        Attachment #188021 -
        Flags: superreview+

        Attachment #188021 -
        Flags: approval1.8b3?

        Attachment #188021 -
        Flags: approval1.8b3+

    
  
Assignee: darin → benjamin

    
    

    
  
I checked this patch in on mozilla trunk. I'm going to leave the bug open
because NSS has their own copy of zlib which should be patched.

    
  
Whiteboard: [sg:fix] may be trunk only → [sg:fix] may be trunk only, landed in modules/zlib but not in NSS

    
    

    
  
should the bug go over to wtc for the nss part?

    
    

    
  
Comment on attachment 188021 [details]
explanation and proposed patch

I just checked in this patch on the NSS trunk for NSS 3.11.
The zlib in NSS is only used by the NSS command-line utility
signtool.

    
    

    
  
ah, ok. fixed on trunk then, going to close but we still need
investigation/decision about the branches.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

    
    

    
  
This particular issue only affects zlib 1.2.x.  Anything using 1.1.x is fine.

    
    

    
  
*** Bug 300072 has been marked as a duplicate of this bug. ***

    
    

    
  
Since this bug has been published by Secunia, I think the security-sensitive
flag can be removed. See http://secunia.com/advisories/15949/
Group: security
Whiteboard: [sg:fix] may be trunk only, landed in modules/zlib but not in NSS → [sg:fix] trunk only, landed in modules/zlib and NSS

        Attachment #188021 -
        Flags: approval1.7.9?

        Attachment #188021 -
        Flags: approval1.7.9-

        Attachment #188021 -
        Flags: approval-aviary1.0.5?

        Attachment #188021 -
        Flags: approval-aviary1.0.5-

    
    

    
  
A perusal of signtool and zlib shows inflate() and inflateBack() are the only
two external zlib functions that call the offending inflate_table() functon in
inftrees.c. inflate() is called by the following:
    
    gzio.c:gzread()
    uncompr.c:uncompress()
    jarfile.c:JAR_pass_archive_unverified()
    jarfile.c:JAR_extract()

Signtool only calls JAR_extract() and JAR_pass_archive_unverified() and only
when the verify option is set.
    

   

    
    

    
  
inflate() is also used via libpng to decode PNG images.

    
    

    
  
Never mind, libpng has nothing to do with zlib in NSS, which would be immune to
the vulnerability anyhow if it is still at zlib 1.1.4 or earlier.

    
    

    
  
Adding Neil and myself to cc list

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix for NSS_3_3_4_1_BRANCH (obsolete)
        — Splinter Review
      

    


  

        Attachment #192100 -
        Flags: superreview?(julien.pierre.bugs)

        Attachment #192100 -
        Flags: review?(neil.williams)

    
    

    
  
Comment on attachment 192100 [details] [diff] [review]
Fix for NSS_3_3_4_1_BRANCH

see https://bugzilla.mozilla.org/show_bug.cgi?id=301212

        Attachment #192100 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 192100 [details] [diff] [review]
Fix for NSS_3_3_4_1_BRANCH

Canceling reviews on wrong product.

        Attachment #192100 -
        Flags: superreview?(julien.pierre.bugs)

        Attachment #192100 -
        Flags: review?(neil.williams)
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: