Closed
Bug 300349
Opened 19 years ago
Closed 19 years ago
Another zlib-1.2.2 buffer overflow
Categories
(Core :: Networking: HTTP, defect)
Core
Networking: HTTP
Tracking
()
VERIFIED
FIXED
mozilla1.8beta4
People
(Reporter: glennrp+bmo, Assigned: darin.moz)
Details
(Keywords: crash, Whiteboard: [sg:fix])
Attachments
(1 file)
988 bytes,
patch
|
Biesinger
:
review+
dveditz
:
superreview+
benjamin
:
approval1.8b4+
|
Details | Diff | Splinter Review |
While working on bug #299425, the zlib team has discovered another vulnerability. The fix (by Mark Adler) is to change a couple of settings in inftrees.h: --- 36,47 ---- */ /* Maximum size of dynamic tree. The maximum found in a long but non- ! exhaustive search was 1444 code structures (852 for length/literals ! and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ ! #define ENOUGH 2048 ! #define MAXD 592
Updated•19 years ago
|
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Whiteboard: [sg:fix]
Comment 1•19 years ago
|
||
Attaching patch from initial comment so we can attach appropriate flags
Attachment #188933 -
Flags: superreview+
Attachment #188933 -
Flags: review?(cbiesinger)
Attachment #188933 -
Flags: approval1.8b4?
Attachment #188933 -
Flags: approval1.8b3?
Comment 2•19 years ago
|
||
Is this exploitable?
Comment 3•19 years ago
|
||
Comment on attachment 188933 [details] [diff] [review] patch from initial comment rs=me, I guess. I don't know this code at all.
Attachment #188933 -
Flags: review?(cbiesinger) → review+
Reporter | ||
Comment 4•19 years ago
|
||
Re: comment #2 Mark Adler seems to be more concerned about this one than the previous, probably because it's easier to understand. The team has a demo file that crashes zlib but aren't distributing it right now.
Reporter | ||
Comment 5•19 years ago
|
||
Like the previous bug, this one was apparently introduced in zlib-1.2.0 and does not affect version 1.1.4.
Reporter | ||
Comment 6•19 years ago
|
||
Whoops, the cross reference in my original comment is incorrect. It should say bug #299445. Sorry.
Updated•19 years ago
|
Flags: blocking1.8b3? → blocking1.8b3-
Updated•19 years ago
|
Attachment #188933 -
Flags: approval1.8b4?
Attachment #188933 -
Flags: approval1.8b4+
Attachment #188933 -
Flags: approval1.8b3?
Reporter | ||
Comment 7•19 years ago
|
||
Zlib developers have released zlib-1.2.3 which includes the fix for this and the other recent security bug. At this point we probably should upgrade to 1.2.3 instead of patching the bug. See zlib.net/zlib-1.2.3.tar.gz. Here is the announcement from Mark Adler: All, Thank you very much for your testing. zlib 1.2.3 is available here: http://zlib.net/zlib-1.2.3.tar.gz This is the final version. I would appreciate it if someone could generate zip and dll versions with the same conventions used for the previous release. Thanks. mark MD5(zlib-1.2.3.tar.gz)= debc62758716a169df9f62e6ab2bc634 SHA1(zlib-1.2.3.tar.gz)= 60faeaaf250642db5c0ea36cd6dcc9f99c8f3902 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQBC27A4eD/Njli8r7oRAkknAKDT33PcLS0aTOAK1BhZSmqXUy0LmwCfTQdU WGxs9D/VFnlBbRkM4KQY6X8= =cu2V -----END PGP SIGNATURE-----
Comment 8•19 years ago
|
||
I will upgrade mozilla/security/nss/cmd/zlib to zlib 1.2.3 (bug 301212).
Reporter | ||
Comment 9•19 years ago
|
||
Now that zlib-1.2.3 has been released this can be public. Removing security-sensitivity flag.
Reporter | ||
Comment 10•19 years ago
|
||
Someone empowered to do so, please clear the security-sensitive flag.
Reporter | ||
Comment 11•19 years ago
|
||
Zlib-1.2.3 has been released and has been published on the zlib web site, http://www.zlib.net . See bug #301646 for a patch to upgrade modules/zlib
Updated•19 years ago
|
Group: security
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta4
Assignee | ||
Comment 12•19 years ago
|
||
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•