Closed Bug 300349 Opened 19 years ago Closed 19 years ago

Another zlib-1.2.2 buffer overflow

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: glennrp+bmo, Assigned: darin.moz)

Details

(Keywords: crash, Whiteboard: [sg:fix])

Attachments

(1 file)

patch from initial comment
988 bytes, patch
Biesinger
: review+
dveditz
: superreview+
benjamin
: approval1.8b4+
Details | Diff | Splinter Review 
While working on bug #299425, the zlib team has discovered another
vulnerability.  The fix (by Mark Adler) is to change a couple of settings in
inftrees.h:

--- 36,47 ----
    */

   /* Maximum size of dynamic tree.  The maximum found in a long but non-
!    exhaustive search was 1444 code structures (852 for length/literals
!    and 592 for distances, the latter actually the result of an
      exhaustive search).  The true maximum is not known, but the value
      below is more than safe. */
! #define ENOUGH 2048
! #define MAXD 592
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Whiteboard: [sg:fix]
Attaching patch from initial comment so we can attach appropriate flags
Attachment #188933 - Flags: superreview+
Attachment #188933 - Flags: review?(cbiesinger)
Attachment #188933 - Flags: approval1.8b4?
Attachment #188933 - Flags: approval1.8b3?
Is this exploitable?
Comment on attachment 188933 [details] [diff] [review]
patch from initial comment

rs=me, I guess. I don't know this code at all.
Attachment #188933 - Flags: review?(cbiesinger) → review+
Re: comment #2
Mark Adler seems to be more concerned about this one than the previous, probably
because it's easier to understand.  The team has a demo file that crashes zlib
but aren't distributing it right now.
Like the previous bug, this one was apparently introduced in zlib-1.2.0 and does
not affect version 1.1.4.
Whoops, the cross reference in my original comment is incorrect.  It should say
bug #299445.  Sorry.
Flags: blocking1.8b3? → blocking1.8b3-
Attachment #188933 - Flags: approval1.8b4?
Attachment #188933 - Flags: approval1.8b4+
Attachment #188933 - Flags: approval1.8b3?
Zlib developers have released zlib-1.2.3 which includes the fix for this and the
other recent security bug.  At this point we probably should upgrade to 1.2.3
instead of patching the bug.  See zlib.net/zlib-1.2.3.tar.gz.  Here is the
announcement from Mark Adler:


All,

Thank you very much for your testing.  zlib 1.2.3 is available here:

     http://zlib.net/zlib-1.2.3.tar.gz

This is the final version.  I would appreciate it if someone could 
generate zip and dll versions with the same conventions used for the 
previous release.  Thanks.

mark


MD5(zlib-1.2.3.tar.gz)= debc62758716a169df9f62e6ab2bc634

SHA1(zlib-1.2.3.tar.gz)= 60faeaaf250642db5c0ea36cd6dcc9f99c8f3902

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQBC27A4eD/Njli8r7oRAkknAKDT33PcLS0aTOAK1BhZSmqXUy0LmwCfTQdU
WGxs9D/VFnlBbRkM4KQY6X8=
=cu2V
-----END PGP SIGNATURE-----
I will upgrade mozilla/security/nss/cmd/zlib to zlib 1.2.3
(bug 301212).
Now that zlib-1.2.3 has been released this can be public.  Removing
security-sensitivity flag.
Someone empowered to do so, please clear the security-sensitive flag.
Zlib-1.2.3 has been released and has been published on the zlib web site,
http://www.zlib.net .  See bug #301646 for a patch to upgrade modules/zlib
Group: security
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta4
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
No longer depends on: 301646
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: