Slashdot Mirror
Zlib Security Flaw Could Cause Widespread Trouble
BlueSharpieOfDoom writes "Whitedust has an interesting article posted about the new zlib buffer overflow. It affects countless software applications, even on Microsoft Windows. Some of the most affected application are those that are able to use the PNG graphic format, as zlib is wildely used in compression of PNG images. Zlib was also in the news in 2002 because of a flaw found in the way it handled memory allocation. The new hole could allow remote attackers to crash the vulnerable program or even the possiblity of executing arbitrary code."
Why are we still having buffer overflows? There's a compile option in Visual C++ that allows automatic buffer overflow protection. Does GCC have this switch? If so, why not? And why are people not using this? We have enough processing power on a typical PC to spend on these security such as this. Performance is not an excuse.
Looking further, this is an interesting example of the problems with monoculture. The BSD TCP/IP stack was copied for Windows and Mac OSX - this is great, it saves a tonne of time but you also means you inherit the exact same bugs as the BSD stack. This gives you an impression of how difficult it is to design secure operating system. If you borrow code such as this, you have to make sure it's secure. You can't really do that without line by line analysis which is unrealistic. In libraries the problem is especially accute. If you make a mistake in a well used library it could effect hundreds of pieces of software, as we've seen here.
We can't modularise security either, like we can modularise functionality, because you can take two secure components and put them together and get insecurity. Despite the grand claims people make about formal verification, even this isn't enough. The problem with formal verification is that the abstraction of the language you're using to obtain your proof may not adequately represent the way the compiler actually compiles the program. Besides, it's possible to engineer a compiler that deliberately miscompiles itself such that it compiles programs with security flaws in it.
What i'm trying to say is that despite what the zealots say, achieving security in software is impossible. The best we can do migitate the risk the best we can. The lesson to learn from security flaws such as this is that while code-reuse is good for maintainability and productivity, for security it's not great. As always, security is a trade-off and the trade-off here is whether we want to develop easy to maintain software quickly or whether we want to run the risk of these exploits being exploited. Personally, I fall in the code-reuse camp.
Simon.
Because Firefox renders PNG completely, it is prone to these sort of errors. However there is one browser that won't need a patch issued to be safe from this bug, which is Internet Explorer. While IE can render PNG a little, it hasn't implemented the full technology. By using IE, you ensure that you will be safe from any bugs that arise from new technologies, such as PNG.
So next time someone recommends a browser. Stop and wonder about what technology the latest browser has implemented properly without regard to any security issues, and remember that it will be decades before IE implements the technology (if it ever does) so it will be safe for quite some time, by being a stable browser that rarely changes.
Mods: This is not an attempt at troll, but a parody of the typical "This is why you should switch to Firefox" posts whenever a vulnerability involving IE. It should be painfully obvious, but then again most of you are on crack.
please visit this link:
http://www.hunger.hu/win.html
Warning: the link causes BSOD because of a flaw in the image rendering algorithm of some windows component when it tries to render a huge image, the waiting times out and the kernel decides its better just to panic.
The link causes no problems on linux, as it's implementation is not faulty.
I think there is a patch for this fault on windowsupdate, but i can't be certain as i'm not using windows.
So long with the zealotry of IE's safeness.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Both Debian and Ubuntu released the patch for this problem 2 days ago. I assume the other big names in the Linux world have or will follow suit shortly.
/Mikael
Greylisting is to SMTP as NAT is to IPv4
even on Microsoft Windows
NOT WINDOWS! I was just about to move to it from this Linux thing!
I like muppets.
http://forums.gentoo.org/viewtopic-t-356659.html
I'm running RHN alert notification on Fedora Core 3, and my version of zlib has already been updated with a patch for CAN-2005-2096, the zlib overflow bug.
It's interesting to read about these as they occur, but it's a nice feeling that my operating system is so well taken care of. Too bad that all personal computers aren't set up for this kind of timely response. I wonder about those millions of library computers, home PCs, small business computers, and other institutional setups where no one even understands the concept of an update, let alone regularly runs the Windows "security" update program.
Another reason to use Linux!
it's = "it is"; its = possessive. E.g., it's flapping its wings.
...there has been no security audit that found this flaw. ...everybody's computers won't be automatically updated just because there is a patch that all total geeks love. ...the source haven't been read by all who uses it, and the flaw wasn't found.
:)
Let's face it, going through code isn't that much fun, and only big projects find stuff because many people are activly changing the code (and thus forced to read parts of it since the documentation isn't there(proper documentation, not a shabby man page and some out of date howto)). Which is probably why we've got new programming languages which do their best to avoid "security flaw by programming language"
We've seen many posts on slashdot recently explaining why the packaging systems are no longer desirable (if they ever were), that dependencies are a PITA (even with systems à la APT), etc.
But when you have a flaw in a very popular library like this, you'll be happy to know that all 354 programs using this library on your system will be safe once the shared library is upgraded... Windows users must upgrade every software manually, and they often won't be able to know precisely what software may be affected...
And this, my friends, is why 'dependency hell' is a good thing. A flaw is found in zlib - no trouble, just run the normal update program that comes with your distribution, 'yum update' or whatever, the centrally installed zlib library will be updated, and all applications will start using it.
The trouble comes with those software authors that wanted to be clever and to 'cut down on dependencies' and included a whole copy of zlib statically linked into their application. Now you have to replace the whole app to remove the zlib security hole. The dependency on zlib is still there, just better hidden, and in a way that makes upgrading a lot harder.
If Microsoft had any sense, a zlib.dll would be bundled with Windows and then Office (and many other apps) could use it. But they wouldn't want to do that, partly because it would involve admitting that they use such third-party libraries.
-- Ed Avis ed@membled.com
It affects countless software applications, even on Microsoft Windows.
I thought Microsoft was proprietary and didn't use open source like zlib? Snicker. I guess Microsoft is being assimilated.
It is really something that this flaw impacts so many applications.
This situation is unnecessary; the problem is that C is not a type-safe language, like ML, CAML, Haskell, Common Lisp, Scheme, Java, etc.
You could write that code in SML/CAML/Common Lisp and likely get it to run as fast or faster than the original (particularly if you did some space/time tradeoffs ala partial evaluation). Integration with the applications in the form of a library would be the tough part.
Here's a provocative bit from Paul Graham (Lisp expert entrepreneur) on buffer overflows.
http://www.thebricktestament.com/the_law/when_to_
The direct cause of this of course is programmer error. But lets be honest, we cannot realisticly expect a programmer to check every single pointer related statement in systems running into the thousands of KLOCs. You can certainly invest a lot of effort and reduce the number of potential bugs, but even then you cannot be sure that you've found them all. We really need to start using tooling (languages, compilers, APIs etc etc) that removes this task from the progammer. I'm not saying that every software project out there is suitable for this, but most userspace programs should be.
I'd far rather have an application that today is a little slower, but secure instead of fast but unsecure. Think about it, today it'll be slow and secure, in a year time it'll be fast and secure once the hardware cycle has caught up with the extra overhead introduced.
2B || !2B
Slander! I only mod people down when I'm off crack!
sig? Oh, that sig...
Yes, both Visual C++ and the GCC ProPolice extensions provide stack and heap protection. And in general these techniques have a minimal impact on execution speed. Unfortunately, this does not solve the problem. There are still viable attacks that can be preformed by avoiding the stack canaries or heap allocation headers and overwriting other vulnerable data. The probability of developing a successful exploit is lower, but it's still there.
I don't disagree that building secure applications is hard, but it's certainly not impossible. Modularized code just adds another layer of compilcation and potentially confusion. Most of this can be addressed by documenting the design and interface constraints, and ensuring that they're followed. At that point even most security vulnerabilities are primarily implementation defects. Defects will of course still occur, but the trick is to build systems that fail gracefully.
Developers must to account for defects and expect that every form of security protection will fail given enough time and effort. This is why the concept of "Defense in Depth" is so important. By layering protective measures you provide a level of security such that multiple layers have to fail before a compromise becomes truly serious. Combine that with logging and monitoring, and a successful attack while usually be identified before damage is done.
Take the above vulnerabiliy and assume it exists in an exploitable form in a web app running on Apache with a Postgres backend. If the server had been configured from a "Defense in Depth" perspective it would be running in a chroot jail as a low privilege account. Any database access required would be performed through a set of stored procedures or a middleware component that validates the user session and restricts data access. SELinux or GRSecurity would be used for fine grained user control on all running processes. All executables would also be compiled with stack and buffer protection.
In the above scenario, you see that this single exploit wouldn't get you much. However, most systems are deployed with one layer of security, and that's the problem.
The problem with writing code in a typesafe language is, as you have noted, integration with libraries. The main reason that so much code is writen in C is that C needs pretty close to zero runtime support.
Not only do languages like Lisp need a fairly extensive runtime, they need dynamic memory allocation and garbage collection, and when you share garbage-collected objects between languages (potentially between multiple languages each with their own allocation models) you're asking for a whole new kind of hurt.
Find a type-safe language where the generated code is standalone and has an easy mechanism for importing and exporting data, and you'll get some traction. And much as I like lisp-family languages myself, that's not the way to go... nor is anything like Java. Perhaps there's something in the Modula family that will work, though my own experience with Modula 2 has not been encouraging.
Can someone explain why this zlib buffer overflow is only considered as a candidate for inclusion in the CVE list?
Has it not been completely verified, or is there just a lot of red-tape involved in being accepted by the CVE board?
Has anyone read the zlib code? While the author clearly tried to make it readable it's still very complex and it's very hard to see at a glance or even after many glances where potential buffer overflow problems may exist (or even where it might fail to implement the deflate algorithm). C is great language for writing an operating system where all you care about is setting bits in a machine register but this algorithm really taxes its abilties.
For comparison here is the deflate algorithm written in Common Lisp. It all fits neaty into a few pages. This is a far better language comparison example than the oft-cited hello world comparison.
or does it seem the end of the world will be caused by a buffer overflow?
For the undead crowd out there:
OpenBSD is affected, and was patched on the 6th of June
FreeBSD is affected, and was patched on the 6th of June
NetBSD base system is not affected, but a zlib from pkgsrc is, and was patched on the 8th of June
I see a lot of people complaining that it was badd that so many programs used zlib. Bit i think it is good.
Why??
Well they found one severe bug in one library and probably fixed 1000 programs within 24 hours from a critical bug.
well that is what i call a good track record.
Using mature and stable libraries is good, and it would have been better if they were even more rigorly tested and reviewed, but maybe that is how they found it.
I would however advice to use on stable components rigorous test and analysis tools that look for anything that can cause memeory errors and can advice on speed optimizations. Not just accepting them as beeing stable.
Greetings
There are no stupid questions, Just a lot of inquisitive idiots. (from a good friend)
I'm surprised it's anywhere near that low
...instead of looking for information on the NX bit from the buffer overflow page in Wikipedia, look up the thing specifically here. Yeah.
Happy people make bad consumers.
It's all very good advocating the use of languages that mitigate against heap and stack overflows et al. But as the recent XML RPC vulnerability in PHP applications should reinforce, the bad guys are migrating to higher level language attacks too.
The fundamental problem is that all too often, different components of a system have are implemented with different input validation. For example a web browser component running an web application may accept all text input, whereas the backend database is only expecting a subset of text inputs.
Developers should establish what input the lowest level component and highest level components will require to get the job done and validate input into all components subject to these requirements. Where the lowest and highest level components have different requirements then the developer needs to define some method of encoding values that would otherwise be considered invalid, and ensure that all components enforce this encoding.
Tim Brown
because it would involve admitting that they use such third-party libraries.
A company of that size doesn't sneakily use 3rd party software. They pay $$$ for 3rd party software they include, and they would only use 3rd party software if it was patented by a 3rd party, or prohibitively expensive to develop themselves. I'm pretty sure that does not include z-lib.
If anything, this story is about how good modularization is. Simply updating one shared library (libz.so or zlib.dll) will fix the problem for all of your installed applications. No?
In Soviet Washington the swamp drains you.
If the argument were that simple, static linking would never occur.
The flip side of the argument is that installing a broken zlib will break all application that are dynamically linked, but have no effect on those that are statically linked.
Remember too that an upgrade to a dynamically linked function means that proper testing must include all software that uses that function. A statically linked application can be tested as a standalone unit.
The resulting isolation of points of failure and lower MTTR is often seen as an advantage in production environments.
I remember this specific situation occurring in a production environment I worked in. A common library was updated, causing the failure of multiple critical applications. The ones not impacted? Statically linked.
Both sides of the discussion clearly have advantages and disadvantages; they have to be weighed to determine the proper risk/benefit.
Can You Say Linux? I Knew That You Could.
But what if you are running it in an embedded system that has been deployed on a Spacecraft?It's NOT easy at all to make that change! Zlib is in a LOT of places where data compression is needed as the algorithm and code are free. We found this zlib bug close to 3 years ago at NASA IV&V duing Code Analysis for the SWIFT mission using an Automated Tool (CodeSurfer). The tool told us we has a possible buffer /memory overflow problem in the zlib code at a certain spot. We had to figure out what was causing it which we non-trivial. TWe reccommended a fix then, and I'm pretty sure it was patched by the developers at least for the SWIFT mission. I'm surprised it has taken this long for the problem to be noticed in the mainstream software community. As others have said, keeping your libs up to date can resolve the problem. But once the code is released it becomes a much bigger task. It's theoretically possible to test software for all know conditions that might be serious enough to crash the system or open doors that should not be open. However, that task is VERY timeconsuming and the software DOES have to get to market! It's a hard line to walk to determine how much testing is enough and where to test deeper and where not to. Profilers and Analysis tools are very helpful but in the end it comes down to a human judgement (mistake) that things are "good enough"/
Not in the least bit, observe, just verified with ldd that Xorg and firefox have libz dynamically linked in on my system, which means on program restart, it will pick up the code from the shared library at runtime. It's the whole point of a dynamicly linked library.
Now once upon a time, a lot of distributions (and open source projects out of the box even) would just static link in libz for some reason or another, but after some security issues in the past that caused massive headaches for package maintainers, that practice has largely ceased.
XML is like violence. If it doesn't solve the problem, use more.
You don't have to test every piece of software that uses a dynamic library. Proper unit tests for the library itself will be enough, as long as they're comprehensive and cover the entire API; the only apps that might still break are those that use the library in ways it's not intended to be, but that's really the app developers' own fault then.
quidquid latine dictum sit altum videtur.
The flip side of the argument is that installing a broken zlib will break all application that are dynamically linked, but have no effect on those that are statically linked.
That's why some people like to use (say) debian stable in production environments: security fixes are backported to the well-tested version of the lib, making a breakage quite unlikely.
I patched this already.
If your post isn't total bullshit, I'm pissed! I think there should be repercussions for this totally irresponsible attitude we see coming from NASA. When you say "the developers" I'm assuming you mean the developers of the SWIFT mission software, not the developers of zlib, because otherwise we wouldn't be seeing this article on Slashdot!
If, for some reason this turns into another Sasser or Code Red, I think penalties aught to be sought against these fuckwads. Using OSS has responsibilities associated with it too, you know!
"terrorism" and "pedophilia" are the root passwords to the Constitution
-- Language is a virus from outer space.
You're not actually comparing statically linked libraries with shared libraries. What you're actually doing, is comparing upgrading with not upgrading. The library in the statically linked program did not get upgraded.
It's unclear how exploitable this bug is with OpenSSH. Just to be sure, apply the patch, recompile zlib, then relink and reinstall ssh.
If you don't want to go to the trouble of doing that right now, a quick fix would be to disable compression in the sshd_config file ("Compression no") and restart sshd. In fact, zlib has had a string of several security bugs recently, so it may be best to just do this anyway.
This is a perfect example of why dynamic linking is Usually A Good Thing. People are always going to be using libraries, and, like all code, those libraries invariably have bugs.
Appallingly, so many people still insist on static linking of published binaries, with no more compelling reason for this than a barely measurable performance boost they could make up for ten times over by profiling the app and recompiling with that data. This of course assumes that they're testing the final binary.
I don't mean to start up the static vs. dynamic linking flamewar, because there are plenty of circumstances where static linking is perfectly appropriate, but if you can't make a good argument for it, dynamic linking should be the default.
Now we have countless windows apps out there with overflows in both JPEG and PNG (recall the overflow in JPEG a few months ago). It looks like the old "images are safe" mantra that tech support has been spouting out to users regarding attachment safety is falling apart.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
A vulnerability has been found on a Microsoft product?
:)
This changes my whole world. Now I'm going to have to stop purchasing Microsoft products..
oh wait..
That's a tad optimistic. Think about it, were that true, there would be no need for any sort of testing other than unit testing. You'd simply test all the units separately (per their APIs) and that would be enough to prove the whole system will work.
APIs always leave something to the interpretation.
Take Java. There are thousands of API methods carefully documented, and thousands of unit tests which Sun can run on any Java implementation to check that it is totally compliant. Does that mean you can run your app on a different version of Java and count on it to 'just work', with no extra testing? You'd be a brave guy if you did.
fud, notfud, yes, no, maybe
Here is a sample of the Scan log.
Input is just one interface... every internal interface in a system also needs to be designed so that it only accepts known safe or encapsulated data, and if there's limits on safe input they need to be something that the upper layer can reasonably check without having to effectively replicate the component it's passing the data to.
Let's say, for example, that this overflow involves a pathological artificially created compressed stream. To test for it, you may have to implement most of the algorithms in zlib. To test for it in an image file, you'd have to implement a decoder for that image format that would at least extract the compressed streams to pass to zlib... as well as implementing zlib.
If the problem in the underlying component is a bug that involves the structure of a complexly encoded data stream, it can't really be described in the input or any internal interfaces. Which means that you're not going to catch it with input validation.
Which means that while resiliant interface design is important, it's not going to be enough to block deep attacks. The only way to do that is to make the components themselves secure and resilient. And depending on input validation can cause problems, just ask anyone with an unusual surname.
Zlib itself contains 8000 lines of code. Not very big, is it? It's been around for years and is widely used, so in theory a lot of people have been able to look at it. And yet, after all these years, they are still finding buffer overflows in these 8000 lines of code.
Zlib was not written by monkeys. It was written by very smart, experienced coders. And yet somehow they are not able to write 8000 lines of code without multiple serious buffer overflows.
As long as code like this is written in C we're going to have these problems.
Saying, "there's a critical buffer overflow in a library written in C" is as newsworthy as saying "when I bang my head against the wall I get a headache."
This is really an argument for versioning dynamic libraries very carefully. The Linux dynamic linker has perfectly good support for avoiding problems like this. Each shared library has a "SONAME" field. Programs linked against the library should be able to use any later version of the library with the same SONAME. If the library changes in some way that breaks desireable behavior, it is supposed to get a new SONAME. The system keeps two sets of symlinks, in addition to the object files: libfoo.so is the latest version and libfoo.so.{version} is the latest version of a compatible series. When you link a program, you use the libfoo.so to find which series is newest. When you run a program, you use libfoo.so.{version}, so you get the newest compatible version.
It sounds like the problem you had was that the common library version number wasn't changed when it should have been. If it had been changed, there would have been no effect on any of the existing programs, static or dynamic. Of course, for a two-line fix to a function which only changes the behavior of the library when dealing with corrupted files, and resulted in a buffer overflow instead of an error, the change won't break anything except attacks, so keeping the same SONAME is right.
Note that you can see this by doing "ldd {program}", which will report how it looks for each library and what it finds. And you can see that zlib claims to be backwards compatible all the way through 1.x, while openssl is only to 0.9.7.
> Nothing more fun than firing off a couple apt-get upgrades in the morning while watching your bsd/gentoo friends sit around rebuilding
What!!! The gentoo/bsd crowd wouldn't staticly link zlib. They would only need to rebuild one package. You sir, are full of crap.
Absolutely.
Most Common Lisp compilers compile to machine code just like C compilers do. The overhead imposed by the runtime type dispatch for operations is very small (and can even go to zero in many cases). Any difference in deflate speed is likely to be insignificant part of the overall speed any application using zlib.
My daily work is on a server system deployed in telco networks. Its all written in C, even things like postprocessors for data analysis. To be honest, only a few or the dozen required processes really need to be implemented in C, the rest are more or less IO bound. For us things like GUIs, data analyzers and some non-latency sensitive protocol converters could easily be implemented in a 'slower' language. You might call them toys, we call them part of our product. Customers even see them as the product.
In fact, fixing bugs on these 'toys' is almost as expensive as fixing them on the server-kernel. If we are able to reduce the number of bugs and LOCS on the non-kernel code, then the business is free to deploy its software development resources in way that generates profits instead of decreasing them .
2B || !2B
Hey you guys,
Just wanted to point out that, amidst the usual "They should've written it in perl" type nonsense, can I just point out that
** This is a _really_ serious bug **
Zlib is very easy to use, effective, and standard, so has been VERY WIDELY incorporated into apps for the last half-dozen years. Those apps are all the most popular *INTERNET FACING* apps (b/c most everyone adds a dash of zlib on incoming or outgoing internet data), and they almost all trust zlib to not blow up on incoming data.
Dudes, not only PNG, but *Macromedia Flash* does and has always used zlib. Anyone fancy checking that?
Perhaps it might be an idea to write a firewall filter that inspects data to detect poisoned zip streams? I believe it can be done reasonably efficiently b/c zip streams are not that expensive to identify.
[FrLz]
Luckily there were some Gentooists recompiling their systems packages every so often, since the vulnerability was found by the Gentoo Linux Security Audit Team here. I've always thought the the more projects making use of the same library, as well as, the platforms a project is ported to eventually improves the quality and stability of the code. In this case the security was improved, but in general the abstracted parts of the code improve.
--Excyl
you could write the most incredibly scary 'sploit with this hole;
;-)
Naturally I don't know what I'm talking about (in terms of sploitability of the zlib hole, but it looks bad from a cursory scan) but..
Let's say that there are a buttload of vulnerable programs (let's suppose; multiple browser/IM client PNG implementations, Flash Player(!), email browsers, etcetera) and they mostly link in (statically or dynamically) one of say 4 different builds of zlib. I am making assumptions here which someone will be happy to correct me on, but as this code is right in the core of the decompressor, the local stack frame (regardless of which vulnerable app is running) will likely be usually very similar, making a near-universal buffer overflow sploit at least more practicable.
Now this may be conjecture, but it seems possible that sufficiently misguided individual(s) could work hard and produce an outrageouly virulent nasty that could infect a multitude of different apps. Dunno how hard it would be to get the payload working though.
Certainly busting into a web server will get much easier for a lot of people - there are a lot of server apps that accept (or look inside) zip files, not to mention _virus scanners_. Oh the irony - Your virus checker gets you 0wned.
Disclaimer: Actually implementing any or all of the above sounds like, at best, a waste of one's precious lifetime. Go hang out with some friends instead.
[FrLz]
zlib written in CL, sans buffer overflows: http://www.cliki.net/Salza
Drew Crampsie - Software Developer
Open Source Business : The Tec
Er... no. Long running software (ie daemon) will continue to use the old version, which would reside in memory (in their code segment, I guess). We got beaten by this a little while back, when there was a worm exploiting Apache thru a bug in OpenSSL. The guy responsible for applying the security updates did in fact update the lib, but did not restart Apache. Result ? One of our machine got owned, even though the bug was patched.
:wq
The language shootout is crap. They don't even try to measure throughput, so a lot of the measurements for C are very small number and thus have a lot of error. They should have run the tests until a certain time had been reached (run sorting test for 10 seconds, say) and measured how much work was done. But they didn't because doing this trivial thing was 'too difficult'. They claim to measure Java startup time by using a baseline program that does a println, but this is completely bogus since they use other classes in the benchmarks, the load time of which is not included in that baseline. For Java, they also compare Character.isUpper() which implements locale-based semantics (2 method calls and 2 if condidions) with a C version that uses a freakin lookup table to avoid branch delays. I'm sure the same lack of objective fairness applies to other languages as well.
In short, the shootout data is crap. Basing your conclusions on it is about as intelligent as getting your news from Fox.
Why do you think you only had to upgrade a single package to get this fixed? It's because zlib is dynamically linked into the other programs. You would only need to rebuild all of your packages if you had zlib statically linked into your programs, which isn't done by anyone (even the bsd/gentoo folks) who isn't insane. Right now i'm using Gentoo, and all I had to do was update zlib which didn't take more than a couple minutes.
#include ".signature"
Ah, but when? Do they start using it immediately, or do running programs cache the old library, and therefore need a restart? And, if you don't know which programs are running it, then you have to reboot, right?
I agree that it's useful to patch one library rather than several programs, but it doesn't necessarily mean that you're safe just from updating the library. You also need to restart all the programs that use it.
Given that software is always bound to have flaws, modularized code allows you to fix the problem once and have it fixed in all applications that use that library, which is what I just did in my Debian system.
To pretend that replicating the same fuctionality across thousands of incompatible libraries in different operating systems is the solution is as close to blindness as you can get.
You say that modular code helps in maintainability. Yeah, and a big part of the maintainability is making the code maintainable from a security point of view. In summary, I want to fix things once and have them fixed across the board in all applications that use a library.
Of course, you appear to be coming from the world of proprietary operating systems, where the concept of a distribution of software that works well together and is maintained as a whole of does not exist.
The fact that on Windows, you may have to get the same fix from Microsoft, Adobe, Corel and a thousand other vendors only highlights the fact that open source code is both more reusable and more maintainable and thus ultimately more secure because the security process can be optimizied through modularity: Fix once, fix everywhere!
Pragmatism as an ideology is not particularly pragmatic in the long term. Keep it in mind when you dismiss Free Software
The reason I don't have mod points this week is because my pipe is broken, in fact.
Um, I'm sorry but plenty of progams that the Gentoo/BSD crowd use statically link to zlib, and thus, must be patched and rebuilt, thus meaning that the grandparent is correct.
While setting up Gentoo for the first time myself, I remarked about this, and of course, my friends told me it would be "no big problem". Sadly, the 500MHz Celeron system I installed it on will now require to be shut down for nearly a week while it goes through everything effected and rebuilds it all. Of course, ccache and distcc will help speed this up, but neither is the perfect solution (distcc requires the computers be up and running and on the network during the entire compile process, ccache can only ccache objects that don't change and can take up a ton of space with cached objects).
Meanwhile all of my file servers will be perfectly alright with an apt-get upgrade and a manditory restart (system policy; I'd much rather insure the newer libraries are loaded into memory than risk it).
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
What are you talking about? All I had to do was to rebuild zlib and restart apps that used zlib. Oh, I did that while I ssh back home from work, all I had to do was to fire off a couple commands to do the same fix as apt-get.
Please, learn how a Linux/BSD system work, how linked/static binaries work before start critiquing other distributions with non-sense.
Please direct all bug reports to
$ uname -a
Linux mars 2.6.10-gentoo-r6 #1 Fri Jan 28 04:06:48 CST 2005 i686 AMD Duron(tm) processor AuthenticAMD GNU/Linux
$ for x in
> ldd $x | grep libz
> done
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
libz.so.1 =>
$ ldd
not a dynamic executable
so.. of the programs that I could think of that link to zlib, only firefox doesn't link dynamically by default.
-metric
that's because /usr/bin/firefox is a shell script. The real firefox binary is loacted somewhere like /usr/lib/mozilla-firefox/firefox-bin.
/usr/lib/mozilla-firefox/firefox-bin | grep libz /usr/lib/libz.so.1 (0xb76b4000)
$ ldd
libz.so.1 =>
...I think penalties aught to be sought against these fuckwads. Using OSS has responsibilities associated with it too, you know!
No. You REALLY don't want to put the burden of responsibility on anyone wo happens upon a bug. If this person is working on project X for NASA, and they're getting paid for it and they have deadlines, I certainly DO NOT want him going off on a tangent to fix a bug in software library Y.
When you're working, your number one priority should be getting the assigned task done. There are people at NASA who do contribute oodles of code to Linux and other projects, and that's part of their job description. It's none of this guy's business to be tweaking zlib when he's getting paid to make SWIFT work.
Granted, it would be polite to drop a line to the maintainers letting them know about the bug.
As a snide post-script of sorts; people like you scare the crap out of the vast majority of businesses out there who are thinking about using OSS.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
> Um, I'm sorry but plenty of progams that the Gentoo/BSD crowd use statically link to zlib, and thus, must be patched and rebuilt, thus meaning that the grandparent is correct.
OK name a few then, and binary programs like ut2004 or mozilla-firefox-bin that aren't compiled from source don't count.
Have you ever looked at the zlib source code? I used it to embed some PNG capability into a utility I wrote several years ago. It's a mess. There are typedefs, macros, typedefed maros and macro'ed typedefs all over the place. I guess it's for portability but that doesn't necessarily make it programmer-friendly. I am not surprised at all.
Huh? USE=-static set, just emerge zlib, takes maybe 20 minutes on a slow system, and there you are. And it will be a faster version. The linux scheduler is good enough that if you run it at nice 19 the compile won't affect your use of the system.
I am trolling
Hmmmm, I had a minimal Fedora 3 installation on a wonderful coLinux installation, which seldom gets updated packages, but I noticed zlib was updated the other day (via freshrpms, apt-get). Kinda surprised me that something as mundane as a compression library would need updating. But I'm guessing this is why, and several days before the news hits slashdot, awesome.
Love many, trust a few, do harm to none.
I'd like to say that this shouldn't even be an issue, but unfortunately that would damn us to Windows-like constant reboot-on-install-and-update hell. (I assume this is a large reason of why Windows demands reboots after updates.)
A somewhat less foolproof solution would be to drop the machine to single user, then bring it back to multiuser. That has its own set of obvious problems that aren't acceptible in every situation.
I tried ./Configure --help with OpenSSL-0.9.7g for Linux, and noticed something that might help in the output:
[[no-]zlib|zlib-dynamic]
Would it help to re[configure & compile & install] with the no-zlib option? I know it's just a bandaid, but every little bit helps, right?
According to the CERT bulletin, zlib 1.2.2, released in Oct 2004, fixes this issue. Is this really patched or not?
> You cannot bind dynamic-length strings into a
> language and match the efficency (at least on a
> function-level) of a static language.
Actually it turns out you can Anonymous Coward, at least in Common Lisp. Through the use of type declarations and the 'optimize' declaration you can declare your intentions that it's more important that a piece of code run fast than it be safe from bad input. In that case string operations are as fast as C.
Generally you only worry about speeding up the key loops in your code (there's that old saying that N% of the time is spent in M% of the code for N >> M). Before removing type checks through the optimize declaration you add code to ensure that the input is ok and then you let the compiler generate optimized code for the loop. Thus you're only vulnerable in a small part of your code and with your own checks you eliminte that vulnerability. With C you're vulnerable in all your code by default. And that brings us back to zlib...
Remember too that an upgrade to a dynamically linked function means that proper testing must include all software that uses that function.
Wrong. Totally wrong way to go about it. If you're building with a library the library should be treated as a black box. If you can't trust it to work as a black box, don't use it.
The habbit of doing this kind fo regression testing is a bad habbit brought about by people relying on bad libraries. Think about it. If a mechanic replaces an air or oil filter, he may test the car to make sure it runs but he sure as hell isn't going to go through the rigorous checks the engine went through at the factory. If mechanics worked that way they'd be out of business. So too with coders.
These posts express my own personal views, not those of my employer
So, does anyone know a good way for me to identify binaries on my system which are statically linked to zlib?
/{,usr/,usr/X11R6/,usr/local/}{s,}bin 2>/dev/null | while read FILE ; do
/opt/*). This is just a proof-of-concept.
Will this work? Is "zlib" a good enough string to search for?
#!/bin/bash
grep -rl zlib
if ! (ldd ${FILE} | grep libz >/dev/null); then
echo ${FILE}
fi
done
And yeah, I know there are other locations where I have binaries (e.g. ~/bin,
Be careful. People in masks cannot be trusted.
I, for one, was pleased to be a user of Gentoo Linux when this bug hit. I got notification via e-mail before the CERT report was even live, and after an emerge --sync and emerge zlib (the compiling of zlib took hardly any time at all), I ran lsof | grep libz and restarted the affected packages. Fixing my cluster at work took a few minutes, and I fixed my machines at home over SSH.
And just what is "bug free" anyway?
To use a building analogy, we can create a perfect, bug-free classes, doors, windows, chimneys, plumbing, etc. etc. But even with "perfect" classes, you'll get some "idiot" using them in unexpected ways, like uing a shower curtain instead of a security screen for the front door.
Do we counter this by restricting how the "shower screen" class can be used? Or by limiting what kinds of classes can be inserted into ExteriorWall()? Can we reasonably anticipate how people will combine things?
To paraphrase The Young Ones, "Well it doesn't say, 'do not fill VCR with dish washing detergent'"
Xix.
"Everything is adjustable, provided you have the right tools"
There are good arguments for both static and dynamic linking -- neither is inherently better than the other for all situations.
What we really need is the ability to take a statically-linked binary and relink it with a new version of an included library like this, without requiring the source or object files. (Of course, this would require retaining relocation information in the binary.)
If relinking were possible, needed security fixes could be safely relinked into existing static binaries on demand, without risking random breakage from library upgrades...
Deven
"Simple things should be simple, and complex things should be possible." - Alan Kay
That's a terrible benchmark. They've not even tried to be fair -- I can see no other reason why you'd see results like this:
/.'s lameness filters are rejecting it. You can look at it yourself if you like.
Language / time / mem usage
(binary-trees)
C gcc 5.95 4,496
C++ g++ 18.71 16,176
(count-words)
C gcc 0.18 260
C++ g++ 1.31 744
I mean, you pay a slight penalty for using c++, sure, but it doesn't make your code 3 times (or even 6 times) slower, and use 4 times as much memory. That's bullshit if ever I saw it.
I mean look at the code for the count-words test. Here's the C++:
OK. I don't get to paste the code in, case
It's a reasonable implementation. I'd optimise it by not using a streambuf (I don't know whether the 'bumpc()' method will be inlined or not, so I'd rather not chance it), but just read data into a character array and use that. I'd also use unsigned characters and check "c Your comment violated the "postercomment" compression filter. Try less whitespace and/or less repetition. Comment aborted.
Yeah, fuck you too. Anyone'd think this wasn't a site where programmers regularly tried to discuss coding techniques.
And yet aren't these the advantages of Unix-like systems over Windows? That you don't have to reboot after every update, that you can gracefully restart services?
Maybe the only way to _really_ fix the problem is to go to a managed code system (Java, or
-- Ed Avis ed@membled.com