Slashdot Mirror
Zlib Security Flaw Could Cause Widespread Trouble
BlueSharpieOfDoom writes "Whitedust has an interesting article posted about the new zlib buffer overflow. It affects countless software applications, even on Microsoft Windows. Some of the most affected application are those that are able to use the PNG graphic format, as zlib is wildely used in compression of PNG images. Zlib was also in the news in 2002 because of a flaw found in the way it handled memory allocation. The new hole could allow remote attackers to crash the vulnerable program or even the possiblity of executing arbitrary code."
Why are we still having buffer overflows? There's a compile option in Visual C++ that allows automatic buffer overflow protection. Does GCC have this switch? If so, why not? And why are people not using this? We have enough processing power on a typical PC to spend on these security such as this. Performance is not an excuse.
Looking further, this is an interesting example of the problems with monoculture. The BSD TCP/IP stack was copied for Windows and Mac OSX - this is great, it saves a tonne of time but you also means you inherit the exact same bugs as the BSD stack. This gives you an impression of how difficult it is to design secure operating system. If you borrow code such as this, you have to make sure it's secure. You can't really do that without line by line analysis which is unrealistic. In libraries the problem is especially accute. If you make a mistake in a well used library it could effect hundreds of pieces of software, as we've seen here.
We can't modularise security either, like we can modularise functionality, because you can take two secure components and put them together and get insecurity. Despite the grand claims people make about formal verification, even this isn't enough. The problem with formal verification is that the abstraction of the language you're using to obtain your proof may not adequately represent the way the compiler actually compiles the program. Besides, it's possible to engineer a compiler that deliberately miscompiles itself such that it compiles programs with security flaws in it.
What i'm trying to say is that despite what the zealots say, achieving security in software is impossible. The best we can do migitate the risk the best we can. The lesson to learn from security flaws such as this is that while code-reuse is good for maintainability and productivity, for security it's not great. As always, security is a trade-off and the trade-off here is whether we want to develop easy to maintain software quickly or whether we want to run the risk of these exploits being exploited. Personally, I fall in the code-reuse camp.
Simon.
Because Firefox renders PNG completely, it is prone to these sort of errors. However there is one browser that won't need a patch issued to be safe from this bug, which is Internet Explorer. While IE can render PNG a little, it hasn't implemented the full technology. By using IE, you ensure that you will be safe from any bugs that arise from new technologies, such as PNG.
So next time someone recommends a browser. Stop and wonder about what technology the latest browser has implemented properly without regard to any security issues, and remember that it will be decades before IE implements the technology (if it ever does) so it will be safe for quite some time, by being a stable browser that rarely changes.
Mods: This is not an attempt at troll, but a parody of the typical "This is why you should switch to Firefox" posts whenever a vulnerability involving IE. It should be painfully obvious, but then again most of you are on crack.
please visit this link:
http://www.hunger.hu/win.html
Warning: the link causes BSOD because of a flaw in the image rendering algorithm of some windows component when it tries to render a huge image, the waiting times out and the kernel decides its better just to panic.
The link causes no problems on linux, as it's implementation is not faulty.
I think there is a patch for this fault on windowsupdate, but i can't be certain as i'm not using windows.
So long with the zealotry of IE's safeness.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Hi eepity you spamming fuck!
0 19918
http://slashdot.org/comments.pl?sid=155309&cid=13
I just wanted to ask Timothy is posting dupes would cause widespread trouble for the interenet. Seems like a flaw that not even open source can fix.
Both Debian and Ubuntu released the patch for this problem 2 days ago. I assume the other big names in the Linux world have or will follow suit shortly.
Parent is an attempted zlib buffer overflow hack. (The irony!) Don't click it.
/Mikael
Greylisting is to SMTP as NAT is to IPv4
even on Microsoft Windows
NOT WINDOWS! I was just about to move to it from this Linux thing!
I like muppets.
http://forums.gentoo.org/viewtopic-t-356659.html
I'm running RHN alert notification on Fedora Core 3, and my version of zlib has already been updated with a patch for CAN-2005-2096, the zlib overflow bug.
It's interesting to read about these as they occur, but it's a nice feeling that my operating system is so well taken care of. Too bad that all personal computers aren't set up for this kind of timely response. I wonder about those millions of library computers, home PCs, small business computers, and other institutional setups where no one even understands the concept of an update, let alone regularly runs the Windows "security" update program.
Another reason to use Linux!
it's = "it is"; its = possessive. E.g., it's flapping its wings.
...there has been no security audit that found this flaw. ...everybody's computers won't be automatically updated just because there is a patch that all total geeks love. ...the source haven't been read by all who uses it, and the flaw wasn't found.
:)
Let's face it, going through code isn't that much fun, and only big projects find stuff because many people are activly changing the code (and thus forced to read parts of it since the documentation isn't there(proper documentation, not a shabby man page and some out of date howto)). Which is probably why we've got new programming languages which do their best to avoid "security flaw by programming language"
We've seen many posts on slashdot recently explaining why the packaging systems are no longer desirable (if they ever were), that dependencies are a PITA (even with systems à la APT), etc.
But when you have a flaw in a very popular library like this, you'll be happy to know that all 354 programs using this library on your system will be safe once the shared library is upgraded... Windows users must upgrade every software manually, and they often won't be able to know precisely what software may be affected...
And this, my friends, is why 'dependency hell' is a good thing. A flaw is found in zlib - no trouble, just run the normal update program that comes with your distribution, 'yum update' or whatever, the centrally installed zlib library will be updated, and all applications will start using it.
The trouble comes with those software authors that wanted to be clever and to 'cut down on dependencies' and included a whole copy of zlib statically linked into their application. Now you have to replace the whole app to remove the zlib security hole. The dependency on zlib is still there, just better hidden, and in a way that makes upgrading a lot harder.
If Microsoft had any sense, a zlib.dll would be bundled with Windows and then Office (and many other apps) could use it. But they wouldn't want to do that, partly because it would involve admitting that they use such third-party libraries.
-- Ed Avis ed@membled.com
It affects countless software applications, even on Microsoft Windows.
I thought Microsoft was proprietary and didn't use open source like zlib? Snicker. I guess Microsoft is being assimilated.
It is really something that this flaw impacts so many applications.
This situation is unnecessary; the problem is that C is not a type-safe language, like ML, CAML, Haskell, Common Lisp, Scheme, Java, etc.
You could write that code in SML/CAML/Common Lisp and likely get it to run as fast or faster than the original (particularly if you did some space/time tradeoffs ala partial evaluation). Integration with the applications in the form of a library would be the tough part.
Here's a provocative bit from Paul Graham (Lisp expert entrepreneur) on buffer overflows.
http://www.thebricktestament.com/the_law/when_to_
The direct cause of this of course is programmer error. But lets be honest, we cannot realisticly expect a programmer to check every single pointer related statement in systems running into the thousands of KLOCs. You can certainly invest a lot of effort and reduce the number of potential bugs, but even then you cannot be sure that you've found them all. We really need to start using tooling (languages, compilers, APIs etc etc) that removes this task from the progammer. I'm not saying that every software project out there is suitable for this, but most userspace programs should be.
I'd far rather have an application that today is a little slower, but secure instead of fast but unsecure. Think about it, today it'll be slow and secure, in a year time it'll be fast and secure once the hardware cycle has caught up with the extra overhead introduced.
2B || !2B
Slander! I only mod people down when I'm off crack!
sig? Oh, that sig...
We don' neet no steenking zeeleeb. -LZO lib
Join the Slashcott! Feb 10 thru Feb 17!
Troll? Come on, I know it's early, but lighten up!
... that's better.
How 'bout -1 Lame Attempt at Humor using awkward attempt to make fun of the phrase "even on Microsoft Windows."
Note to self: Don't go for the obvious M$ joke early on Sunday morning. (Damn, did it again.)
Note to self/others: Lighten up!
Ah
Yes, both Visual C++ and the GCC ProPolice extensions provide stack and heap protection. And in general these techniques have a minimal impact on execution speed. Unfortunately, this does not solve the problem. There are still viable attacks that can be preformed by avoiding the stack canaries or heap allocation headers and overwriting other vulnerable data. The probability of developing a successful exploit is lower, but it's still there.
I don't disagree that building secure applications is hard, but it's certainly not impossible. Modularized code just adds another layer of compilcation and potentially confusion. Most of this can be addressed by documenting the design and interface constraints, and ensuring that they're followed. At that point even most security vulnerabilities are primarily implementation defects. Defects will of course still occur, but the trick is to build systems that fail gracefully.
Developers must to account for defects and expect that every form of security protection will fail given enough time and effort. This is why the concept of "Defense in Depth" is so important. By layering protective measures you provide a level of security such that multiple layers have to fail before a compromise becomes truly serious. Combine that with logging and monitoring, and a successful attack while usually be identified before damage is done.
Take the above vulnerabiliy and assume it exists in an exploitable form in a web app running on Apache with a Postgres backend. If the server had been configured from a "Defense in Depth" perspective it would be running in a chroot jail as a low privilege account. Any database access required would be performed through a set of stored procedures or a middleware component that validates the user session and restricts data access. SELinux or GRSecurity would be used for fine grained user control on all running processes. All executables would also be compiled with stack and buffer protection.
In the above scenario, you see that this single exploit wouldn't get you much. However, most systems are deployed with one layer of security, and that's the problem.
MSN Messenger uses PNG for some smilies, I guess it's time to disable them ;) 8-) :)
The problem with writing code in a typesafe language is, as you have noted, integration with libraries. The main reason that so much code is writen in C is that C needs pretty close to zero runtime support.
Not only do languages like Lisp need a fairly extensive runtime, they need dynamic memory allocation and garbage collection, and when you share garbage-collected objects between languages (potentially between multiple languages each with their own allocation models) you're asking for a whole new kind of hurt.
Find a type-safe language where the generated code is standalone and has an easy mechanism for importing and exporting data, and you'll get some traction. And much as I like lisp-family languages myself, that's not the way to go... nor is anything like Java. Perhaps there's something in the Modula family that will work, though my own experience with Modula 2 has not been encouraging.
Can someone explain why this zlib buffer overflow is only considered as a candidate for inclusion in the CVE list?
Has it not been completely verified, or is there just a lot of red-tape involved in being accepted by the CVE board?
as in Oscar.
I'll just sit down now.
Has anyone read the zlib code? While the author clearly tried to make it readable it's still very complex and it's very hard to see at a glance or even after many glances where potential buffer overflow problems may exist (or even where it might fail to implement the deflate algorithm). C is great language for writing an operating system where all you care about is setting bits in a machine register but this algorithm really taxes its abilties.
For comparison here is the deflate algorithm written in Common Lisp. It all fits neaty into a few pages. This is a far better language comparison example than the oft-cited hello world comparison.
or does it seem the end of the world will be caused by a buffer overflow?
For the undead crowd out there:
OpenBSD is affected, and was patched on the 6th of June
FreeBSD is affected, and was patched on the 6th of June
NetBSD base system is not affected, but a zlib from pkgsrc is, and was patched on the 8th of June
I see a lot of people complaining that it was badd that so many programs used zlib. Bit i think it is good.
Why??
Well they found one severe bug in one library and probably fixed 1000 programs within 24 hours from a critical bug.
well that is what i call a good track record.
Using mature and stable libraries is good, and it would have been better if they were even more rigorly tested and reviewed, but maybe that is how they found it.
I would however advice to use on stable components rigorous test and analysis tools that look for anything that can cause memeory errors and can advice on speed optimizations. Not just accepting them as beeing stable.
Greetings
There are no stupid questions, Just a lot of inquisitive idiots. (from a good friend)
I think this only underscores how difficult a programmers job really is, if they have any idea what they are doing.
To use compiled libraries and build upon someone elses experiences or to make your own. To use open code and to compile or use it incorrectly, or to reinvent the wheel and spin your own.
Not one has solved the problem.
I find it frightening when i can't trust data files.
I'm surprised it's anywhere near that low
...instead of looking for information on the NX bit from the buffer overflow page in Wikipedia, look up the thing specifically here. Yeah.
Happy people make bad consumers.
It's all very good advocating the use of languages that mitigate against heap and stack overflows et al. But as the recent XML RPC vulnerability in PHP applications should reinforce, the bad guys are migrating to higher level language attacks too.
The fundamental problem is that all too often, different components of a system have are implemented with different input validation. For example a web browser component running an web application may accept all text input, whereas the backend database is only expecting a subset of text inputs.
Developers should establish what input the lowest level component and highest level components will require to get the job done and validate input into all components subject to these requirements. Where the lowest and highest level components have different requirements then the developer needs to define some method of encoding values that would otherwise be considered invalid, and ensure that all components enforce this encoding.
Tim Brown
because it would involve admitting that they use such third-party libraries.
A company of that size doesn't sneakily use 3rd party software. They pay $$$ for 3rd party software they include, and they would only use 3rd party software if it was patented by a 3rd party, or prohibitively expensive to develop themselves. I'm pretty sure that does not include z-lib.
If anything, this story is about how good modularization is. Simply updating one shared library (libz.so or zlib.dll) will fix the problem for all of your installed applications. No?
In Soviet Washington the swamp drains you.
If the argument were that simple, static linking would never occur.
The flip side of the argument is that installing a broken zlib will break all application that are dynamically linked, but have no effect on those that are statically linked.
Remember too that an upgrade to a dynamically linked function means that proper testing must include all software that uses that function. A statically linked application can be tested as a standalone unit.
The resulting isolation of points of failure and lower MTTR is often seen as an advantage in production environments.
I remember this specific situation occurring in a production environment I worked in. A common library was updated, causing the failure of multiple critical applications. The ones not impacted? Statically linked.
Both sides of the discussion clearly have advantages and disadvantages; they have to be weighed to determine the proper risk/benefit.
Can You Say Linux? I Knew That You Could.
But what if you are running it in an embedded system that has been deployed on a Spacecraft?It's NOT easy at all to make that change! Zlib is in a LOT of places where data compression is needed as the algorithm and code are free. We found this zlib bug close to 3 years ago at NASA IV&V duing Code Analysis for the SWIFT mission using an Automated Tool (CodeSurfer). The tool told us we has a possible buffer /memory overflow problem in the zlib code at a certain spot. We had to figure out what was causing it which we non-trivial. TWe reccommended a fix then, and I'm pretty sure it was patched by the developers at least for the SWIFT mission. I'm surprised it has taken this long for the problem to be noticed in the mainstream software community. As others have said, keeping your libs up to date can resolve the problem. But once the code is released it becomes a much bigger task. It's theoretically possible to test software for all know conditions that might be serious enough to crash the system or open doors that should not be open. However, that task is VERY timeconsuming and the software DOES have to get to market! It's a hard line to walk to determine how much testing is enough and where to test deeper and where not to. Profilers and Analysis tools are very helpful but in the end it comes down to a human judgement (mistake) that things are "good enough"/
Not in the least bit, observe, just verified with ldd that Xorg and firefox have libz dynamically linked in on my system, which means on program restart, it will pick up the code from the shared library at runtime. It's the whole point of a dynamicly linked library.
Now once upon a time, a lot of distributions (and open source projects out of the box even) would just static link in libz for some reason or another, but after some security issues in the past that caused massive headaches for package maintainers, that practice has largely ceased.
XML is like violence. If it doesn't solve the problem, use more.
You don't have to test every piece of software that uses a dynamic library. Proper unit tests for the library itself will be enough, as long as they're comprehensive and cover the entire API; the only apps that might still break are those that use the library in ways it's not intended to be, but that's really the app developers' own fault then.
quidquid latine dictum sit altum videtur.
Hey shit for brains, living off of tax payer money, DID YOU FILE A BUG REPORT WITH THE ZLIB MAINTAINERS?
'm surprised it has taken this long for the problem to be noticed in the mainstream software community
It doesn't sound like you filed a bug report. If you didn't, go fuck yourself.
Software like entercept has buffer overflow protection. I got this on my machines in my network. I doubt I will even have to worry about this one.
People have been proposing the we code our critical operating systems, libraries and applications in a sandbox for decades now.
Well. Where is the p-system? Where is Javagator? Name me a multi-operating system application written in Visual Basic?
Name me a program not written in "C" or C++ ?
I mean a real one like "Linux" or "Windows Kernel" or "Mozilla" or "Word" or "Excel" or "ssh".
Hell, perl is written in C.
Well. I'm waiting. The fact of the matter is that programmer's need control to make truly
usable applications. The sandbox of Java or Visual Basic or Perl make them too slow. They are for making cute little toys, not systems. If you are making toys, use one of these. If you are making serious system tools, use "C". And check for buffer overflows and memory leaks. That's just the way it is.
The flip side of the argument is that installing a broken zlib will break all application that are dynamically linked, but have no effect on those that are statically linked.
That's why some people like to use (say) debian stable in production environments: security fixes are backported to the well-tested version of the lib, making a breakage quite unlikely.
I patched this already.
"The overflow does not
involve user supplied data, and therefore does not allow the execution of
arbitrary code. However, it could still be used by a remote attacker to
create a denial of service."
If your post isn't total bullshit, I'm pissed! I think there should be repercussions for this totally irresponsible attitude we see coming from NASA. When you say "the developers" I'm assuming you mean the developers of the SWIFT mission software, not the developers of zlib, because otherwise we wouldn't be seeing this article on Slashdot!
If, for some reason this turns into another Sasser or Code Red, I think penalties aught to be sought against these fuckwads. Using OSS has responsibilities associated with it too, you know!
"terrorism" and "pedophilia" are the root passwords to the Constitution
Zlib is not that complex, sorry.
... the reason people use "C" is that it produces small, fast code. Period. If you're
writing a library routine that going to get called billions of times a day, it needs to be fast. If you write it in Lisp, it's too slow.
Look
Here's why you should use C and not Lisp. This is form the "shootout" benchmarking programming languages. C wins across the board pretty much all the time against all other languages. Imagine if your computer was twice as slow as it is now. That'd what'd be like if your word process, operating system, browser, etc. weren't written in C. You'd buy another system if it ran twice as fast. This is why systems and serious applications are written in "C" not lisp or Java or perl or whatever.
-- Language is a virus from outer space.
You're not actually comparing statically linked libraries with shared libraries. What you're actually doing, is comparing upgrading with not upgrading. The library in the statically linked program did not get upgraded.
It's unclear how exploitable this bug is with OpenSSH. Just to be sure, apply the patch, recompile zlib, then relink and reinstall ssh.
If you don't want to go to the trouble of doing that right now, a quick fix would be to disable compression in the sshd_config file ("Compression no") and restart sshd. In fact, zlib has had a string of several security bugs recently, so it may be best to just do this anyway.
This is a perfect example of why dynamic linking is Usually A Good Thing. People are always going to be using libraries, and, like all code, those libraries invariably have bugs.
Appallingly, so many people still insist on static linking of published binaries, with no more compelling reason for this than a barely measurable performance boost they could make up for ten times over by profiling the app and recompiling with that data. This of course assumes that they're testing the final binary.
I don't mean to start up the static vs. dynamic linking flamewar, because there are plenty of circumstances where static linking is perfectly appropriate, but if you can't make a good argument for it, dynamic linking should be the default.
Now we have countless windows apps out there with overflows in both JPEG and PNG (recall the overflow in JPEG a few months ago). It looks like the old "images are safe" mantra that tech support has been spouting out to users regarding attachment safety is falling apart.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
A vulnerability has been found on a Microsoft product?
:)
This changes my whole world. Now I'm going to have to stop purchasing Microsoft products..
oh wait..
That's a tad optimistic. Think about it, were that true, there would be no need for any sort of testing other than unit testing. You'd simply test all the units separately (per their APIs) and that would be enough to prove the whole system will work.
APIs always leave something to the interpretation.
Take Java. There are thousands of API methods carefully documented, and thousands of unit tests which Sun can run on any Java implementation to check that it is totally compliant. Does that mean you can run your app on a different version of Java and count on it to 'just work', with no extra testing? You'd be a brave guy if you did.
fud, notfud, yes, no, maybe
Here is a sample of the Scan log.
Input is just one interface... every internal interface in a system also needs to be designed so that it only accepts known safe or encapsulated data, and if there's limits on safe input they need to be something that the upper layer can reasonably check without having to effectively replicate the component it's passing the data to.
Let's say, for example, that this overflow involves a pathological artificially created compressed stream. To test for it, you may have to implement most of the algorithms in zlib. To test for it in an image file, you'd have to implement a decoder for that image format that would at least extract the compressed streams to pass to zlib... as well as implementing zlib.
If the problem in the underlying component is a bug that involves the structure of a complexly encoded data stream, it can't really be described in the input or any internal interfaces. Which means that you're not going to catch it with input validation.
Which means that while resiliant interface design is important, it's not going to be enough to block deep attacks. The only way to do that is to make the components themselves secure and resilient. And depending on input validation can cause problems, just ask anyone with an unusual surname.
Zlib itself contains 8000 lines of code. Not very big, is it? It's been around for years and is widely used, so in theory a lot of people have been able to look at it. And yet, after all these years, they are still finding buffer overflows in these 8000 lines of code.
Zlib was not written by monkeys. It was written by very smart, experienced coders. And yet somehow they are not able to write 8000 lines of code without multiple serious buffer overflows.
As long as code like this is written in C we're going to have these problems.
Saying, "there's a critical buffer overflow in a library written in C" is as newsworthy as saying "when I bang my head against the wall I get a headache."
This is really an argument for versioning dynamic libraries very carefully. The Linux dynamic linker has perfectly good support for avoiding problems like this. Each shared library has a "SONAME" field. Programs linked against the library should be able to use any later version of the library with the same SONAME. If the library changes in some way that breaks desireable behavior, it is supposed to get a new SONAME. The system keeps two sets of symlinks, in addition to the object files: libfoo.so is the latest version and libfoo.so.{version} is the latest version of a compatible series. When you link a program, you use the libfoo.so to find which series is newest. When you run a program, you use libfoo.so.{version}, so you get the newest compatible version.
It sounds like the problem you had was that the common library version number wasn't changed when it should have been. If it had been changed, there would have been no effect on any of the existing programs, static or dynamic. Of course, for a two-line fix to a function which only changes the behavior of the library when dealing with corrupted files, and resulted in a buffer overflow instead of an error, the change won't break anything except attacks, so keeping the same SONAME is right.
Note that you can see this by doing "ldd {program}", which will report how it looks for each library and what it finds. And you can see that zlib claims to be backwards compatible all the way through 1.x, while openssl is only to 0.9.7.
> Nothing more fun than firing off a couple apt-get upgrades in the morning while watching your bsd/gentoo friends sit around rebuilding
What!!! The gentoo/bsd crowd wouldn't staticly link zlib. They would only need to rebuild one package. You sir, are full of crap.
Absolutely.
Most Common Lisp compilers compile to machine code just like C compilers do. The overhead imposed by the runtime type dispatch for operations is very small (and can even go to zero in many cases). Any difference in deflate speed is likely to be insignificant part of the overall speed any application using zlib.
Hey you guys,
Just wanted to point out that, amidst the usual "They should've written it in perl" type nonsense, can I just point out that
** This is a _really_ serious bug **
Zlib is very easy to use, effective, and standard, so has been VERY WIDELY incorporated into apps for the last half-dozen years. Those apps are all the most popular *INTERNET FACING* apps (b/c most everyone adds a dash of zlib on incoming or outgoing internet data), and they almost all trust zlib to not blow up on incoming data.
Dudes, not only PNG, but *Macromedia Flash* does and has always used zlib. Anyone fancy checking that?
Perhaps it might be an idea to write a firewall filter that inspects data to detect poisoned zip streams? I believe it can be done reasonably efficiently b/c zip streams are not that expensive to identify.
[FrLz]
Luckily there were some Gentooists recompiling their systems packages every so often, since the vulnerability was found by the Gentoo Linux Security Audit Team here. I've always thought the the more projects making use of the same library, as well as, the platforms a project is ported to eventually improves the quality and stability of the code. In this case the security was improved, but in general the abstracted parts of the code improve.
--Excyl
you could write the most incredibly scary 'sploit with this hole;
;-)
Naturally I don't know what I'm talking about (in terms of sploitability of the zlib hole, but it looks bad from a cursory scan) but..
Let's say that there are a buttload of vulnerable programs (let's suppose; multiple browser/IM client PNG implementations, Flash Player(!), email browsers, etcetera) and they mostly link in (statically or dynamically) one of say 4 different builds of zlib. I am making assumptions here which someone will be happy to correct me on, but as this code is right in the core of the decompressor, the local stack frame (regardless of which vulnerable app is running) will likely be usually very similar, making a near-universal buffer overflow sploit at least more practicable.
Now this may be conjecture, but it seems possible that sufficiently misguided individual(s) could work hard and produce an outrageouly virulent nasty that could infect a multitude of different apps. Dunno how hard it would be to get the payload working though.
Certainly busting into a web server will get much easier for a lot of people - there are a lot of server apps that accept (or look inside) zip files, not to mention _virus scanners_. Oh the irony - Your virus checker gets you 0wned.
Disclaimer: Actually implementing any or all of the above sounds like, at best, a waste of one's precious lifetime. Go hang out with some friends instead.
[FrLz]
zlib written in CL, sans buffer overflows: http://www.cliki.net/Salza
Drew Crampsie - Software Developer
Open Source Business : The Tec
Er... no. Long running software (ie daemon) will continue to use the old version, which would reside in memory (in their code segment, I guess). We got beaten by this a little while back, when there was a worm exploiting Apache thru a bug in OpenSSL. The guy responsible for applying the security updates did in fact update the lib, but did not restart Apache. Result ? One of our machine got owned, even though the bug was patched.
:wq
Why do you think you only had to upgrade a single package to get this fixed? It's because zlib is dynamically linked into the other programs. You would only need to rebuild all of your packages if you had zlib statically linked into your programs, which isn't done by anyone (even the bsd/gentoo folks) who isn't insane. Right now i'm using Gentoo, and all I had to do was update zlib which didn't take more than a couple minutes.
#include ".signature"
Ah, but when? Do they start using it immediately, or do running programs cache the old library, and therefore need a restart? And, if you don't know which programs are running it, then you have to reboot, right?
I agree that it's useful to patch one library rather than several programs, but it doesn't necessarily mean that you're safe just from updating the library. You also need to restart all the programs that use it.
Given that software is always bound to have flaws, modularized code allows you to fix the problem once and have it fixed in all applications that use that library, which is what I just did in my Debian system.
To pretend that replicating the same fuctionality across thousands of incompatible libraries in different operating systems is the solution is as close to blindness as you can get.
You say that modular code helps in maintainability. Yeah, and a big part of the maintainability is making the code maintainable from a security point of view. In summary, I want to fix things once and have them fixed across the board in all applications that use a library.
Of course, you appear to be coming from the world of proprietary operating systems, where the concept of a distribution of software that works well together and is maintained as a whole of does not exist.
The fact that on Windows, you may have to get the same fix from Microsoft, Adobe, Corel and a thousand other vendors only highlights the fact that open source code is both more reusable and more maintainable and thus ultimately more secure because the security process can be optimizied through modularity: Fix once, fix everywhere!
Pragmatism as an ideology is not particularly pragmatic in the long term. Keep it in mind when you dismiss Free Software
The reason I don't have mod points this week is because my pipe is broken, in fact.
Java is slow. If you don't like the shootout, make your own bechmarks. Go ahead, rig it up so that Java is calling assembly language routines so that you can say that Java is faster than C. Go ahead. Have fun.
The rhetorical questions remains: where's Javagator?
(Nicely appropriate username, by the way)
:p
For some reason, half the time when I've used apt-get, it breaks. Updates stop happening, and the installation of new packages doesn't work. Considering that this happens WITHOUT changing configuration files or using any funky tags, then I would have to say that it's a flawed system.
Portage only breaks if I do it myself. And since I'm not an idiot, it's never happened to me
Um, I'm sorry but plenty of progams that the Gentoo/BSD crowd use statically link to zlib, and thus, must be patched and rebuilt, thus meaning that the grandparent is correct.
While setting up Gentoo for the first time myself, I remarked about this, and of course, my friends told me it would be "no big problem". Sadly, the 500MHz Celeron system I installed it on will now require to be shut down for nearly a week while it goes through everything effected and rebuilds it all. Of course, ccache and distcc will help speed this up, but neither is the perfect solution (distcc requires the computers be up and running and on the network during the entire compile process, ccache can only ccache objects that don't change and can take up a ton of space with cached objects).
Meanwhile all of my file servers will be perfectly alright with an apt-get upgrade and a manditory restart (system policy; I'd much rather insure the newer libraries are loaded into memory than risk it).
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
I agree.
Can someone explan why the stack is accessible so close to the data? Seems like there should be a way to prevent writing application data onto the stack where it can collide with instructions in the first place. And, it seems that this is a compiler implmentation issue, and it should not matter what language you are using. And, even if the language standard requires ambiguity, with a switch you could make it "standards compliant" vs "safe and usable".
Yea, I'm probably oversimplifying, which is why I consider it a dumb question.
Any references to books that explain how this works would be appreciated.
And linux.
What are you talking about? All I had to do was to rebuild zlib and restart apps that used zlib. Oh, I did that while I ssh back home from work, all I had to do was to fire off a couple commands to do the same fix as apt-get.
Please, learn how a Linux/BSD system work, how linked/static binaries work before start critiquing other distributions with non-sense.
Please direct all bug reports to
$ uname -a
Linux mars 2.6.10-gentoo-r6 #1 Fri Jan 28 04:06:48 CST 2005 i686 AMD Duron(tm) processor AuthenticAMD GNU/Linux
$ for x in
> ldd $x | grep libz
> done
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
$ ldd
not a dynamic executable
so.. of the programs that I could think of that link to zlib, only firefox doesn't link dynamically by default.
-metric
that's because /usr/bin/firefox is a shell script. The real firefox binary is loacted somewhere like /usr/lib/mozilla-firefox/firefox-bin.
/usr/lib/mozilla-firefox/firefox-bin | grep libz /usr/lib/libz.so.1 (0xb76b4000)
$ ldd
libz.so.1 =>
...I think penalties aught to be sought against these fuckwads. Using OSS has responsibilities associated with it too, you know!
No. You REALLY don't want to put the burden of responsibility on anyone wo happens upon a bug. If this person is working on project X for NASA, and they're getting paid for it and they have deadlines, I certainly DO NOT want him going off on a tangent to fix a bug in software library Y.
When you're working, your number one priority should be getting the assigned task done. There are people at NASA who do contribute oodles of code to Linux and other projects, and that's part of their job description. It's none of this guy's business to be tweaking zlib when he's getting paid to make SWIFT work.
Granted, it would be polite to drop a line to the maintainers letting them know about the bug.
As a snide post-script of sorts; people like you scare the crap out of the vast majority of businesses out there who are thinking about using OSS.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
> Um, I'm sorry but plenty of progams that the Gentoo/BSD crowd use statically link to zlib, and thus, must be patched and rebuilt, thus meaning that the grandparent is correct.
OK name a few then, and binary programs like ut2004 or mozilla-firefox-bin that aren't compiled from source don't count.
Have you ever looked at the zlib source code? I used it to embed some PNG capability into a utility I wrote several years ago. It's a mess. There are typedefs, macros, typedefed maros and macro'ed typedefs all over the place. I guess it's for portability but that doesn't necessarily make it programmer-friendly. I am not surprised at all.
Huh? USE=-static set, just emerge zlib, takes maybe 20 minutes on a slow system, and there you are. And it will be a faster version. The linux scheduler is good enough that if you run it at nice 19 the compile won't affect your use of the system.
I am trolling
Anyone else find it odd how Whitedust seem to be using this flaw (and the apache one) to their benefit to advertise their web site.
This is exactly why Windows performs the file level locking that it does and asks for a reboot when a shared library currently in use is updated. Windows installer is fully capable of cutting the file lock and replacing the file, and the reboot is more often than not just a recommendation, but a reboot is the one way to fully and completely ensure that the older version of the code is no longer being executed.
You cannot bind dynamic-length strings into a language and match the efficency (at least on a function-level) of a static language.
By exposing every bit of it, C allows you to keep the amount of data manipulation to a bare minimum where it counts. By the same token, it also make it necessary to do every little operation (grow the string, etc.) where the slowdown wouldn't matter.
But anyway, in a tight operation like that which makes up most of the total time spent to accomplish a task (compress a file), a Lisp implementation will be slower than a well-coded C version.
But I'm not saying that this means that C is the right language for other, less CPU-intensive tasks.
Why don't you argue that lead pipes and asbestos insulation are good building materials, while you're at it?
Remains what, unanswered? If it's rhetorical, why are you trolling for an answer?
...for reimplementing zlib from scratch on PuTTY...
Hmmmm, I had a minimal Fedora 3 installation on a wonderful coLinux installation, which seldom gets updated packages, but I noticed zlib was updated the other day (via freshrpms, apt-get). Kinda surprised me that something as mundane as a compression library would need updating. But I'm guessing this is why, and several days before the news hits slashdot, awesome.
Love many, trust a few, do harm to none.
I'd like to say that this shouldn't even be an issue, but unfortunately that would damn us to Windows-like constant reboot-on-install-and-update hell. (I assume this is a large reason of why Windows demands reboots after updates.)
A somewhat less foolproof solution would be to drop the machine to single user, then bring it back to multiuser. That has its own set of obvious problems that aren't acceptible in every situation.
Zlib is not a userspace program. (-1 Offtopic)
What is the big deal? The bug was fixed last week on Gentoo.
http://bugs.gentoo.org/show_bug.cgi?id=98121
I tried ./Configure --help with OpenSSL-0.9.7g for Linux, and noticed something that might help in the output:
[[no-]zlib|zlib-dynamic]
Would it help to re[configure & compile & install] with the no-zlib option? I know it's just a bandaid, but every little bit helps, right?
According to the CERT bulletin, zlib 1.2.2, released in Oct 2004, fixes this issue. Is this really patched or not?
> You cannot bind dynamic-length strings into a
> language and match the efficency (at least on a
> function-level) of a static language.
Actually it turns out you can Anonymous Coward, at least in Common Lisp. Through the use of type declarations and the 'optimize' declaration you can declare your intentions that it's more important that a piece of code run fast than it be safe from bad input. In that case string operations are as fast as C.
Generally you only worry about speeding up the key loops in your code (there's that old saying that N% of the time is spent in M% of the code for N >> M). Before removing type checks through the optimize declaration you add code to ensure that the input is ok and then you let the compiler generate optimized code for the loop. Thus you're only vulnerable in a small part of your code and with your own checks you eliminte that vulnerability. With C you're vulnerable in all your code by default. And that brings us back to zlib...
Remember too that an upgrade to a dynamically linked function means that proper testing must include all software that uses that function.
Wrong. Totally wrong way to go about it. If you're building with a library the library should be treated as a black box. If you can't trust it to work as a black box, don't use it.
The habbit of doing this kind fo regression testing is a bad habbit brought about by people relying on bad libraries. Think about it. If a mechanic replaces an air or oil filter, he may test the car to make sure it runs but he sure as hell isn't going to go through the rigorous checks the engine went through at the factory. If mechanics worked that way they'd be out of business. So too with coders.
These posts express my own personal views, not those of my employer
So, does anyone know a good way for me to identify binaries on my system which are statically linked to zlib?
/{,usr/,usr/X11R6/,usr/local/}{s,}bin 2>/dev/null | while read FILE ; do
/opt/*). This is just a proof-of-concept.
Will this work? Is "zlib" a good enough string to search for?
#!/bin/bash
grep -rl zlib
if ! (ldd ${FILE} | grep libz >/dev/null); then
echo ${FILE}
fi
done
And yeah, I know there are other locations where I have binaries (e.g. ~/bin,
Be careful. People in masks cannot be trusted.
Don't assume you found the same vulnerability. If you look at the zlib checkins you'll see there are plenty of similair patches which aren't so wildly publicized. This one's obscure too and an automated too would have no way of detecting it.
>If you're building with a library the library should be treated as a black box. If you can't trust it to work as a black box, don't use it.
I take it you don't use many libraries, do you?
I think you mean pwned.
I, for one, was pleased to be a user of Gentoo Linux when this bug hit. I got notification via e-mail before the CERT report was even live, and after an emerge --sync and emerge zlib (the compiling of zlib took hardly any time at all), I ran lsof | grep libz and restarted the affected packages. Fixing my cluster at work took a few minutes, and I fixed my machines at home over SSH.
And just what is "bug free" anyway?
To use a building analogy, we can create a perfect, bug-free classes, doors, windows, chimneys, plumbing, etc. etc. But even with "perfect" classes, you'll get some "idiot" using them in unexpected ways, like uing a shower curtain instead of a security screen for the front door.
Do we counter this by restricting how the "shower screen" class can be used? Or by limiting what kinds of classes can be inserted into ExteriorWall()? Can we reasonably anticipate how people will combine things?
To paraphrase The Young Ones, "Well it doesn't say, 'do not fill VCR with dish washing detergent'"
Xix.
"Everything is adjustable, provided you have the right tools"
There are good arguments for both static and dynamic linking -- neither is inherently better than the other for all situations.
What we really need is the ability to take a statically-linked binary and relink it with a new version of an included library like this, without requiring the source or object files. (Of course, this would require retaining relocation information in the binary.)
If relinking were possible, needed security fixes could be safely relinked into existing static binaries on demand, without risking random breakage from library upgrades...
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
And yet aren't these the advantages of Unix-like systems over Windows? That you don't have to reboot after every update, that you can gracefully restart services?
Maybe the only way to _really_ fix the problem is to go to a managed code system (Java, or
-- Ed Avis ed@membled.com