Another zlib-1.2.2 buffer overflow

VERIFIED FIXED in mozilla1.8beta4

Status

()

VERIFIED FIXED
13 years ago
13 years ago

People

(Reporter: glennrp+bmo, Assigned: darin.moz)

Tracking

({crash})

Trunk
mozilla1.8beta4
crash
Points:
---
Bug Flags:
blocking1.8b3 -
blocking1.8b5 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix])

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
While working on bug #299425, the zlib team has discovered another
vulnerability.  The fix (by Mark Adler) is to change a couple of settings in
inftrees.h:

--- 36,47 ----
    */

   /* Maximum size of dynamic tree.  The maximum found in a long but non-
!    exhaustive search was 1444 code structures (852 for length/literals
!    and 592 for distances, the latter actually the result of an
      exhaustive search).  The true maximum is not known, but the value
      below is more than safe. */
! #define ENOUGH 2048
! #define MAXD 592
Flags: blocking1.8b4+
Flags: blocking1.8b3?
Whiteboard: [sg:fix]
Created attachment 188933 [details] [diff] [review]
patch from initial comment

Attaching patch from initial comment so we can attach appropriate flags
Attachment #188933 - Flags: superreview+
Attachment #188933 - Flags: review?(cbiesinger)
Attachment #188933 - Flags: approval1.8b4?
Attachment #188933 - Flags: approval1.8b3?

Comment 2

13 years ago
Is this exploitable?
Comment on attachment 188933 [details] [diff] [review]
patch from initial comment

rs=me, I guess. I don't know this code at all.
Attachment #188933 - Flags: review?(cbiesinger) → review+
(Reporter)

Comment 4

13 years ago
Re: comment #2
Mark Adler seems to be more concerned about this one than the previous, probably
because it's easier to understand.  The team has a demo file that crashes zlib
but aren't distributing it right now.
(Reporter)

Comment 5

13 years ago
Like the previous bug, this one was apparently introduced in zlib-1.2.0 and does
not affect version 1.1.4.
(Reporter)

Comment 6

13 years ago
Whoops, the cross reference in my original comment is incorrect.  It should say
bug #299445.  Sorry.

Updated

13 years ago
Flags: blocking1.8b3? → blocking1.8b3-

Updated

13 years ago
Attachment #188933 - Flags: approval1.8b4?
Attachment #188933 - Flags: approval1.8b4+
Attachment #188933 - Flags: approval1.8b3?
(Reporter)

Comment 7

13 years ago
Zlib developers have released zlib-1.2.3 which includes the fix for this and the
other recent security bug.  At this point we probably should upgrade to 1.2.3
instead of patching the bug.  See zlib.net/zlib-1.2.3.tar.gz.  Here is the
announcement from Mark Adler:


All,

Thank you very much for your testing.  zlib 1.2.3 is available here:

     http://zlib.net/zlib-1.2.3.tar.gz

This is the final version.  I would appreciate it if someone could 
generate zip and dll versions with the same conventions used for the 
previous release.  Thanks.

mark


MD5(zlib-1.2.3.tar.gz)= debc62758716a169df9f62e6ab2bc634

SHA1(zlib-1.2.3.tar.gz)= 60faeaaf250642db5c0ea36cd6dcc9f99c8f3902

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQBC27A4eD/Njli8r7oRAkknAKDT33PcLS0aTOAK1BhZSmqXUy0LmwCfTQdU
WGxs9D/VFnlBbRkM4KQY6X8=
=cu2V
-----END PGP SIGNATURE-----

Comment 8

13 years ago
I will upgrade mozilla/security/nss/cmd/zlib to zlib 1.2.3
(bug 301212).
(Reporter)

Comment 9

13 years ago
Now that zlib-1.2.3 has been released this can be public.  Removing
security-sensitivity flag.
(Reporter)

Comment 10

13 years ago
Someone empowered to do so, please clear the security-sensitive flag.
(Reporter)

Comment 11

13 years ago
Zlib-1.2.3 has been released and has been published on the zlib web site,
http://www.zlib.net .  See bug #301646 for a patch to upgrade modules/zlib
Group: security
(Assignee)

Updated

13 years ago
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta4
(Assignee)

Comment 12

13 years ago
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Reporter)

Updated

13 years ago
No longer depends on: 301646
(Reporter)

Updated

13 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.