Closed
Bug 299445
Opened 19 years ago
Closed 19 years ago
zlib buffer overflow
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: taviso, Assigned: benjamin)
References
()
Details
(Whiteboard: [sg:fix] trunk only, landed in modules/zlib and NSS)
Attachments
(1 file, 1 obsolete file)
3.47 KB,
text/plain
|
darin.moz
:
review+
chase
:
superreview+
dveditz
:
approval-aviary1.0.5-
dveditz
:
approval1.7.9-
chase
:
approval1.8b3+
|
Details |
I've discovered a deflate data stream that causes zlib to overwrite the bounds of an array, I believe this to be potentially exploitable under certain conditions to execute arbitrary code. Mark Adler, co-author of zlib, has provided the detailed explanation and proposed patch attached. Please try to load the png or php files in the URL field for a testcase. As mozilla bundles it's own distribution of zlib, I expect this will have to be fixed independently of the system zlib.
Reporter | ||
Comment 1•19 years ago
|
||
Updated•19 years ago
|
Flags: blocking1.8b3?
Flags: blocking1.7.9?
Flags: blocking-aviary1.0.5?
Assignee | ||
Updated•19 years ago
|
Attachment #188021 -
Flags: superreview?(dveditz)
Attachment #188021 -
Flags: review?(darin)
Attachment #188021 -
Flags: approval1.8b3?
Attachment #188021 -
Flags: approval1.7.9?
Attachment #188021 -
Flags: approval-aviary1.0.5?
Comment 2•19 years ago
|
||
There doesn't appear to be similar code in our version of zlib (1.1.4), in fact the stylistic differences are so great it's hard to believe it's from the same library. Does that mean we're not vulnerable, or just that we need a different patch?
Comment 3•19 years ago
|
||
hm? the code at least on trunk looks basically identical (I think indentation is a bit off, so the patch does not apply directly). Did we update zlib on trunk, but not on branch, maybe?
Comment 4•19 years ago
|
||
https://bugzilla.mozilla.org/show_bug.cgi?id=248644 is when we last updated zlib.
Comment 5•19 years ago
|
||
(In reply to comment #2) > our version of zlib (1.1.4) Oops, I was looking at a branch tree. I guess my question still stands though -- do the differences mean the branch is not vulnerable, or do we need something different to fix 1.1.4? The attached patch looks good for the trunk.
Flags: blocking1.8b3? → blocking1.8b3+
Whiteboard: [sg:fix] may be trunk only
Updated•19 years ago
|
Flags: blocking-aviary1.0.6?
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5-
Updated•19 years ago
|
Attachment #188021 -
Flags: review?(darin) → review+
Comment 6•19 years ago
|
||
The aviary/1.7 branches (zlib 1.1.4) handle the testcases fine.
Flags: blocking1.7.9?
Flags: blocking1.7.9-
Flags: blocking-aviary1.0.6?
Flags: blocking-aviary1.0.6-
Comment 7•19 years ago
|
||
Comment on attachment 188021 [details]
explanation and proposed patch
Per 1.1a2 meeting, dveditz granted sr on this patch for trunk landing.
Granting approval for it to land there.
Attachment #188021 -
Flags: superreview?(dveditz)
Attachment #188021 -
Flags: superreview+
Attachment #188021 -
Flags: approval1.8b3?
Attachment #188021 -
Flags: approval1.8b3+
Updated•19 years ago
|
Assignee: darin → benjamin
Assignee | ||
Comment 8•19 years ago
|
||
I checked this patch in on mozilla trunk. I'm going to leave the bug open because NSS has their own copy of zlib which should be patched.
Assignee | ||
Updated•19 years ago
|
Whiteboard: [sg:fix] may be trunk only → [sg:fix] may be trunk only, landed in modules/zlib but not in NSS
Comment 9•19 years ago
|
||
should the bug go over to wtc for the nss part?
Comment 10•19 years ago
|
||
Comment on attachment 188021 [details]
explanation and proposed patch
I just checked in this patch on the NSS trunk for NSS 3.11.
The zlib in NSS is only used by the NSS command-line utility
signtool.
Assignee | ||
Comment 11•19 years ago
|
||
ah, ok. fixed on trunk then, going to close but we still need investigation/decision about the branches.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Comment 12•19 years ago
|
||
This particular issue only affects zlib 1.2.x. Anything using 1.1.x is fine.
Assignee | ||
Comment 13•19 years ago
|
||
*** Bug 300072 has been marked as a duplicate of this bug. ***
Comment 14•19 years ago
|
||
Since this bug has been published by Secunia, I think the security-sensitive flag can be removed. See http://secunia.com/advisories/15949/
Updated•19 years ago
|
Group: security
Updated•19 years ago
|
Whiteboard: [sg:fix] may be trunk only, landed in modules/zlib but not in NSS → [sg:fix] trunk only, landed in modules/zlib and NSS
Updated•19 years ago
|
Attachment #188021 -
Flags: approval1.7.9?
Attachment #188021 -
Flags: approval1.7.9-
Attachment #188021 -
Flags: approval-aviary1.0.5?
Attachment #188021 -
Flags: approval-aviary1.0.5-
Comment 15•19 years ago
|
||
A perusal of signtool and zlib shows inflate() and inflateBack() are the only two external zlib functions that call the offending inflate_table() functon in inftrees.c. inflate() is called by the following: gzio.c:gzread() uncompr.c:uncompress() jarfile.c:JAR_pass_archive_unverified() jarfile.c:JAR_extract() Signtool only calls JAR_extract() and JAR_pass_archive_unverified() and only when the verify option is set.
Comment 16•19 years ago
|
||
inflate() is also used via libpng to decode PNG images.
Comment 17•19 years ago
|
||
Never mind, libpng has nothing to do with zlib in NSS, which would be immune to the vulnerability anyhow if it is still at zlib 1.1.4 or earlier.
Comment 18•19 years ago
|
||
Adding Neil and myself to cc list
Comment 19•19 years ago
|
||
Attachment #192100 -
Flags: superreview?(julien.pierre.bugs)
Attachment #192100 -
Flags: review?(neil.williams)
Comment 20•19 years ago
|
||
Comment on attachment 192100 [details] [diff] [review] Fix for NSS_3_3_4_1_BRANCH see https://bugzilla.mozilla.org/show_bug.cgi?id=301212
Attachment #192100 -
Attachment is obsolete: true
Comment 21•19 years ago
|
||
Comment on attachment 192100 [details] [diff] [review] Fix for NSS_3_3_4_1_BRANCH Canceling reviews on wrong product.
Attachment #192100 -
Flags: superreview?(julien.pierre.bugs)
Attachment #192100 -
Flags: review?(neil.williams)
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•