Closed Bug 299445 Opened 20 years ago Closed 20 years ago

zlib buffer overflow

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: taviso, Assigned: benjamin)

References

(
URL
)

Details

(Whiteboard: [sg:fix] trunk only, landed in modules/zlib and NSS)

Attachments

(1 file, 1 obsolete file)

explanation and proposed patch
3.47 KB, text/plain
darin.moz
: review+
chase
: superreview+
dveditz
: approval-aviary1.0.5-
dveditz
: approval1.7.9-
chase
: approval1.8b3+
Details
I've discovered a deflate data stream that causes zlib to overwrite the bounds of an array, I believe this to be potentially exploitable under certain conditions to execute arbitrary code. Mark Adler, co-author of zlib, has provided the detailed explanation and proposed patch attached. Please try to load the png or php files in the URL field for a testcase. As mozilla bundles it's own distribution of zlib, I expect this will have to be fixed independently of the system zlib.
Flags: blocking1.8b3?
Flags: blocking1.7.9?
Flags: blocking-aviary1.0.5?
Attachment #188021 - Flags: superreview?(dveditz)
Attachment #188021 - Flags: review?(darin)
Attachment #188021 - Flags: approval1.8b3?
Attachment #188021 - Flags: approval1.7.9?
Attachment #188021 - Flags: approval-aviary1.0.5?
There doesn't appear to be similar code in our version of zlib (1.1.4), in fact the stylistic differences are so great it's hard to believe it's from the same library. Does that mean we're not vulnerable, or just that we need a different patch?
hm? the code at least on trunk looks basically identical (I think indentation is a bit off, so the patch does not apply directly). Did we update zlib on trunk, but not on branch, maybe?
(In reply to comment #2) > our version of zlib (1.1.4) Oops, I was looking at a branch tree. I guess my question still stands though -- do the differences mean the branch is not vulnerable, or do we need something different to fix 1.1.4? The attached patch looks good for the trunk.
Flags: blocking1.8b3? → blocking1.8b3+
Whiteboard: [sg:fix] may be trunk only
Flags: blocking-aviary1.0.6?
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5-
Attachment #188021 - Flags: review?(darin) → review+
The aviary/1.7 branches (zlib 1.1.4) handle the testcases fine.
Flags: blocking1.7.9?
Flags: blocking1.7.9-
Flags: blocking-aviary1.0.6?
Flags: blocking-aviary1.0.6-
Comment on attachment 188021 [details] explanation and proposed patch Per 1.1a2 meeting, dveditz granted sr on this patch for trunk landing. Granting approval for it to land there.
Attachment #188021 - Flags: superreview?(dveditz)
Attachment #188021 - Flags: superreview+
Attachment #188021 - Flags: approval1.8b3?
Attachment #188021 - Flags: approval1.8b3+
Assignee: darin → benjamin
I checked this patch in on mozilla trunk. I'm going to leave the bug open because NSS has their own copy of zlib which should be patched.
Whiteboard: [sg:fix] may be trunk only → [sg:fix] may be trunk only, landed in modules/zlib but not in NSS
should the bug go over to wtc for the nss part?
Comment on attachment 188021 [details] explanation and proposed patch I just checked in this patch on the NSS trunk for NSS 3.11. The zlib in NSS is only used by the NSS command-line utility signtool.
ah, ok. fixed on trunk then, going to close but we still need investigation/decision about the branches.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
This particular issue only affects zlib 1.2.x. Anything using 1.1.x is fine.
*** Bug 300072 has been marked as a duplicate of this bug. ***
Since this bug has been published by Secunia, I think the security-sensitive flag can be removed. See http://secunia.com/advisories/15949/
Group: security
Whiteboard: [sg:fix] may be trunk only, landed in modules/zlib but not in NSS → [sg:fix] trunk only, landed in modules/zlib and NSS
Attachment #188021 - Flags: approval1.7.9?
Attachment #188021 - Flags: approval1.7.9-
Attachment #188021 - Flags: approval-aviary1.0.5?
Attachment #188021 - Flags: approval-aviary1.0.5-
A perusal of signtool and zlib shows inflate() and inflateBack() are the only two external zlib functions that call the offending inflate_table() functon in inftrees.c. inflate() is called by the following: gzio.c:gzread() uncompr.c:uncompress() jarfile.c:JAR_pass_archive_unverified() jarfile.c:JAR_extract() Signtool only calls JAR_extract() and JAR_pass_archive_unverified() and only when the verify option is set.
inflate() is also used via libpng to decode PNG images.
Never mind, libpng has nothing to do with zlib in NSS, which would be immune to the vulnerability anyhow if it is still at zlib 1.1.4 or earlier.
Adding Neil and myself to cc list
Attached patch Fix for NSS_3_3_4_1_BRANCH (obsolete) — Splinter Review
Attachment #192100 - Flags: superreview?(julien.pierre.bugs)
Attachment #192100 - Flags: review?(neil.williams)
Comment on attachment 192100 [details] [diff] [review] Fix for NSS_3_3_4_1_BRANCH see https://bugzilla.mozilla.org/show_bug.cgi?id=301212
Attachment #192100 - Attachment is obsolete: true
Comment on attachment 192100 [details] [diff] [review] Fix for NSS_3_3_4_1_BRANCH Canceling reviews on wrong product.
Attachment #192100 - Flags: superreview?(julien.pierre.bugs)
Attachment #192100 - Flags: review?(neil.williams)
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: