Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zlib Security Flaw Could Cause Widespread Trouble

Posted by timothy on from the all-over-the-place dept.

BlueSharpieOfDoom writes "Whitedust has an interesting article posted about the new zlib buffer overflow. It affects countless software applications, even on Microsoft Windows. Some of the most affected application are those that are able to use the PNG graphic format, as zlib is wildely used in compression of PNG images. Zlib was also in the news in 2002 because of a flaw found in the way it handled memory allocation. The new hole could allow remote attackers to crash the vulnerable program or even the possiblity of executing arbitrary code."

72 of 372 comments (clear)

  1. Modularised code will always have this problem. by Ckwop · · Score: 5, Interesting

    Why are we still having buffer overflows? There's a compile option in Visual C++ that allows automatic buffer overflow protection. Does GCC have this switch? If so, why not? And why are people not using this? We have enough processing power on a typical PC to spend on these security such as this. Performance is not an excuse.

    Looking further, this is an interesting example of the problems with monoculture. The BSD TCP/IP stack was copied for Windows and Mac OSX - this is great, it saves a tonne of time but you also means you inherit the exact same bugs as the BSD stack. This gives you an impression of how difficult it is to design secure operating system. If you borrow code such as this, you have to make sure it's secure. You can't really do that without line by line analysis which is unrealistic. In libraries the problem is especially accute. If you make a mistake in a well used library it could effect hundreds of pieces of software, as we've seen here.

    We can't modularise security either, like we can modularise functionality, because you can take two secure components and put them together and get insecurity. Despite the grand claims people make about formal verification, even this isn't enough. The problem with formal verification is that the abstraction of the language you're using to obtain your proof may not adequately represent the way the compiler actually compiles the program. Besides, it's possible to engineer a compiler that deliberately miscompiles itself such that it compiles programs with security flaws in it.

    What i'm trying to say is that despite what the zealots say, achieving security in software is impossible. The best we can do migitate the risk the best we can. The lesson to learn from security flaws such as this is that while code-reuse is good for maintainability and productivity, for security it's not great. As always, security is a trade-off and the trade-off here is whether we want to develop easy to maintain software quickly or whether we want to run the risk of these exploits being exploited. Personally, I fall in the code-reuse camp.

    Simon.

    1. Re:Modularised code will always have this problem. by mistersooreams · · Score: 4, Interesting
      There's a compile option in Visual C++ that allows automatic buffer overflow protection

      Is there? I haven't seen it. Even if there is (and I'm inclined to trust you), the reason that no one uses it is because it slows programs down so much. The pointer semantics of languages like C and C++ are fundamentally dangerous and the only way you can make them safe (checking every dereference individually) is painfully slow. I think a factor of three or four was the general consensus on /. last time this debate came up.

      I guess it's about time for the Slashdot trolls to start calling for the end of C and C++. Strangely, I think I'm starting to agree with them, at least above the kernel level. Is speed really so critical in zlib?

      --
      apterous.org
    2. Re:Modularised code will always have this problem. by Da+Fokka · · Score: 5, Insightful

      For some reason your comment is moderated 'troll', probably because you had the filthy guts of uttering the Forbidden Word 'Visual C++'.

      However, your question is prefectly valid. Automatic buffer overflow protection only covers the straightforward buffer overflow problems, i.e. array index overflows. In the case of more complex pointer arithmetic, where most of these problems occur, automatic protection is not possible (at least not without losing the option of pointer arithmetic).

    3. Re:Modularised code will always have this problem. by Da+Fokka · · Score: 2, Funny
      For some reason your comment is moderated 'troll', probably because you had the filthy guts of uttering the Forbidden Word 'Visual C++'.

      Actually, 'forbidden term' would be more appropriate. My bad.

    4. Re:Modularised code will always have this problem. by Ckwop · · Score: 4, Interesting

      See here

      On the broad issue on whether we should be using other languages, I think that saying "the programmer should carefully" is a bit misguided. Humans make mistakes and this is something that computers can do very well. Besides, if coding in such languages is slow, we can use a profiler to find the hot-spots and optimise the slow section using a lower level language.

      For that reason, I don't really buy the "but it's too slow argument" - I think it's a good trade-off to use a language that doesn't allow buffer-overflows.

      Simon.

    5. Re:Modularised code will always have this problem. by Anonymous Coward · · Score: 2, Insightful

      Speed is and will always be a feature. Let's say you have a program that takes 1 second to open a zip/gzip file and another program that takes 8 seconds to open a zip/gzip file.
      In the first case most users will just open the file to check the contents, which is a feature, fast access means you'll use the files in another way. An 8 second access time slows you down, so you'll be less inclined to check the contents.

      This goes for everything in computing. Previewing a filter change in your image program before applying it? If it takes 10 secs, why bother..., if it takes 2 secs, sure.

    6. Re:Modularised code will always have this problem. by grahammm · · Score: 2, Informative

      Also hardware support would help. Even 25 years ago the ICL 2900 series systems had a native hardware 'pointer' type (they called it a descriptor). This included in it the size of the object pointed to, and the hardware would check that any dereferences were not out of bounds.

    7. Re:Modularised code will always have this problem. by CaptainFork · · Score: 4, Funny
      Why are we still having buffer overflows? There's a compile option in Visual C++ that allows automatic buffer overflow protection. Does GCC have this switch? If so, why not?

      If so why not? - and if not, why so?

      Why why not but not if not? Why not not?

    8. Re:Modularised code will always have this problem. by bersl2 · · Score: 2, Informative

      There also exist modifications to gcc that perform the same function. A little checking on your part was all that was necessary to not fall into the publicization trap.

      However, all such methods introduce a very noticable performance penalty.

      Furthermore, there are documented ways of bypassing all such stack protection mechanisms.

      Stop bitching. Audit your goddamn code already. Or would you rather all the bugs be found by the bad guys (this one was found by the Gentoo security team)?

    9. Re:Modularised code will always have this problem. by Da+Fokka · · Score: 2, Insightful

      So get over it, "Da Fokka", and all you other insecure OSS fanboys, too.

      Actually, I agree with the first part of your post, I use VS.NET 2005 and I love it.

      Here is a pointer that will help you understand the first part of my post.

    10. Re:Modularised code will always have this problem. by Detritus · · Score: 2, Insightful

      I like programming in C, but I recognize that it is completely inappropriate for many of the applications that it is used for. When modern computers are thousands of times faster than those used for the development of C, we can afford to spend some CPU cycles on reliability and security.

      --
      Mea navis aericumbens anguillis abundat
    11. Re:Modularised code will always have this problem. by Stiletto · · Score: 2, Insightful


      Your argument assumes that buffer overflows are a natural and unavoidable aspect of C programming. I can show you plenty of examples of C modules without buffer overflows. Writing a complex system without buffer overflows is only a matter of using these modules together with a carefully constructed interface.

      I also doubt your argument that achieving security in software is impossible. People have been doing it for years and years. Unfortuately we are seeing more and more security breaks because the percentage of careless programmers out there has been steadily rising.

      You can write 100% bug-free code if you take your time, are careful and methodical, and do thorough unit and system tests. Those with the "Hey, all warnings but no errors--Ship It!" mentality give the software writing skill a bad name.

    12. Re:Modularised code will always have this problem. by ookaze · · Score: 3, Insightful

      You don't buy the "but it's too slow argument", OK, that's your right, and it is not surprising when your vision of programming is so narrow.
      We are talking about a low level LIBRARY here. Which means reentrant, placement independant code, efficiency, API accessible easily to any language and compiler.
      I think all of this is still very difficult to do right in other languages than C. It is already very difficult to do in C++.
      Anyway, your language without buffer overflows would not use pointer arithmetic, so would create a zlib a lot slower than the one we now, even if you optimise your high level language to the max.
      When you see that what takes time are basic lines of your language, you are toast.

    13. Re:Modularised code will always have this problem. by Richard+W.M.+Jones · · Score: 4, Informative

      Automatic buffer overflow protection only covers the straightforward buffer overflow problems, i.e. array index overflows. In the case of more complex pointer arithmetic, where most of these problems occur, automatic protection is not possible (at least not without losing the option of pointer arithmetic).

      Actually, automatic checking is very much possible, and has been for years. For example, Bounds checking gcc (that website is down right now, so try my page on the subject). That was written in 1994, and there are newer systems available now which don't have such a serious performance penalty.

      The real solution is to stop writing critical code in C. Other languages provide bounds checking, and are faster and safer than C: for example OCaml which I prefer nowadays.

      Rich.

      --
      libguestfs - tools for accessing and modifying virtual machine disk images
    14. Re:Modularised code will always have this problem. by doctormetal · · Score: 2, Interesting
      I also doubt your argument that achieving security in software is impossible. People have been doing it for years and years. Unfortuately we are seeing more and more security breaks because the percentage of careless programmers out there has been steadily rising.

      This is a problem of education. When I was at school you learned to program C and assembler. If you made a stupid programming error you would notice it real soon. Now they mostly teach languages like java which hides most of the defensive programming from the programmer. If you don't know about such things, you should not be programming in languages where you need to these things.

      You can write 100% bug-free code if you take your time, are careful and methodical, and do thorough unit and system tests. Those with the "Hey, all warnings but no errors--Ship It!" mentality give the software writing skill a bad name.

      Consider all compiler warnings as errors is what I always do. Every warning can be a potential runtime error.

      Thinking before you code can also help a lot.
    15. Re:Modularised code will always have this problem. by aws4y · · Score: 4, Interesting
      Why are we still having buffer overflows? There's a compile option in Visual C++ that allows automatic buffer overflow protection. Does GCC have this switch? If so, why not? And why are people not using this? We have enough processing power on a typical PC to spend on these security such as this. Performance is not an excuse.

      The problem I have with this statement is that any checks that Visual C++ may have are at best a fig leaf. Buffer Overflow protection is something that has dogged not just programers but hardware manufactures for decades now. If security is of such great consern why not make the assembler do buffer checks?, why not the operating system? why not the processor?, why not create a ram infrasturcture called SDDR in which the RAM itself does not allow anything to be accessed without a secure hash? the answer to all of these questions is that for every solution, event the stupid one at the bottom, the buffer overflow might take on a new form or the security measures themselves may backfire.

      Ultimatly the parent is IMHO over reacting, we are always going to have buffer overflows. This is not necissarily a problem so long as people are willing to disclose the vulnerability and work hard to get it patched before an exploit is out in the wild. This is the main argument as to why Microsoft software is insecure because often known vulnerabilites go months without being patched. They are getting better but they are nowhere near the transparancy displayed here. They made a mistake in coding, they are attempting to fix it but until all the vulnerable aplications are patched we need to be on guard for signs of malicious behavior from programs relying on zlib. In other words this is just a part of life in the world of computing.

      --
      Did Glenn Beck rape and kill a girl in 1990? gb1990.com
    16. Re:Modularised code will always have this problem. by Anonymous Coward · · Score: 4, Informative

      Actually, x86 already does, but nobody uses these features. When they fixed segmentation with the 386, segments were now accessed through selectors and offsets. The selectors pointed to one of two tables (GDT - global descriptor table or LDT - local descriptor table). Whenever a memory access was made using a selector, the CPU would look up the descriptor corresponding to the selector. It would check whether the current program had necessary access rights and privilege. If not, then a GPF would be thrown. Segments can be marked as read-only, read-write, executable and maybe a few more combos. Although the GDT and LDT each have only room for 8192 entries, that's still probably more than most programs would need. Each segment could correspond to a single object or array of primitive objects. There would be no buffer overflows because the CPU catches attempts to go beyond the limit of a segment. Stack data couldn't be executed inadvertently because the stack segment would properly be marked as non-executable.

      There are a few reasons, though, why we don't use this system. One is that loading descriptors is slow because it was never optimized in the CPU with the equivalent of a TLB as for paging. The other is that using segmentation requires 48-bit pointers rather than 32-bit pointers, or it requires loading segmentation registers and doing a dance with those. I suppose using longer pointers was a problem back in the days when memory was scarce, but it's hardly a problem now (check out 64-bit). Intel *could have* made segment descriptor access checks and loading fast, but I guess there wasn't a demand for it once paging was available.

    17. Re:Modularised code will always have this problem. by Anonymous Coward · · Score: 2, Insightful

      OpenBSD does this for everything

      I can't resist:

      Apperently they *don't* do this for everything, or you've just shown that code inspection won't trigger everything at all. And so does Visual C++'s rumoured "magical buffer overflow detection". Quite frankly, it's crap. It'll only trigger on *big* hefty overruns, and almost never on an off-by-one. And even when it triggers, all it does it put up the mightily annoying and terribly useless "DAMAGE detected after NORMAL block. Press Cancel to continue, Retry to abort, and abort to debug". And no, it won't even tell you exactly what variables were stored around the so-called "NORMAL" block. Bah.

    18. Re:Modularised code will always have this problem. by Tyler+Durden · · Score: 4, Interesting

      Why have hardware support that simply helps prevent buffer overflows when we can use hardware features that solve it? I believe that can be done with the NX bit in many modern processors. For more information, look in the Wikipedia entry for "buffer overflow". Getting all new machines to run with chips with this feature and operating systems to take advantage of it is the key to stopping the overflows, not new languages to generate low-level code.

      The problem I have with the argument, "Sure the software checks in higher-level languages will slow things down significiantly, but computers are so much faster now," is simple. Ever notice how even as memory/video card frame-rates/hard-drive space increases exponentially it seems that the newest applications tend to still max them out to compete? Well the same thing applies to speed. It's tough to explain to your manager that you are going to purposefully use a language that cripples the efficiency of your newest application to anticiplate your own carelessness. (I'm not saying I'm any better than anyone else on this point. I've had my share of careless programming moments myself).

      Does anyone know of any disadvantages to the NX bit that I don't know about? (Like significant slow-down worse than software checks or possible overflows that it would miss).

      --
      Happy people make bad consumers.
    19. Re:Modularised code will always have this problem. by Saint+Stephen · · Score: 3, Funny
      Foam at the mouth and fall over backwards. Is he foaming at the mouth to fall over backwards or falling over backwards to foam at the mouth. Tonight 'Spectrum' examines the whole question of frothing and falling, coughing and calling, screaming and bawling, walling and stalling, galling and mauling, palling and hauling, trawling and squalling and zalling. Zalling? Is there a word zalling? If there is what does it mean...if there isn't what does it mean? Perhaps both. Maybe neither. What do I mean by the word mean? What do I mean by the word word, what do I mean by what do I mean, what do I mean by do, and what do I do by mean? What do I do by do by do and what do I do by wasting your time like this? Goodnight
      -- Monty Python
    20. Re:Modularised code will always have this problem. by Dun+Malg · · Score: 4, Informative
      Stop bitching. Audit your goddamn code already.

      Oh please. When are we going to get past, "I know! Let's just write perfect software all the time!"

      There will always be some subset of people who refuse to accept the impossibility of absolute perfection. I believe their thinking goes like this:

      "Anyone can easily write a single line of bug-free code. If you can write twenty of those lines, you can write a bug free function. Write a dozen such bug-free functions and you've got a bug-free class. Write a half dozen or so bug-free classes and you have a bug free library. Using a collection of such bug free libraries you can write a few more bug-free classes held together by some bug-free lines of code and you've got a bug-free application. You're not so stupid that you can't write a single line of bug-free code, are you? There's no excuse for bugs. Just don't make mistakes. It's a choice, really."

      (I never had to work for anyone who said the above, but my brother in law, a coder for a large trucking company, had to put up with a "quality consultant" whose entire theory was essentially the above, punctuated with shouts of "attention to detail, people!" in between such lectures. A similar consultant is documented in an email in "The Dilbert Principle". Sadly, it's probably not the same guy.)

      --
      If a job's not worth doing, it's not worth doing right.
    21. Re:Modularised code will always have this problem. by ringm000 · · Score: 2, Interesting
      Anyway, your language without buffer overflows would not use pointer arithmetic, so would create a zlib a lot slower than the one we now, even if you optimise your high level language to the max.
      Really? I don't see any reasonable way for a compiler to implement arrays internally without pointer arithmetic, be it C or any high-level language.

      As for mandatory array boundary checks, they can really be optimized away whenever they are not needed. Most trivial example: in case the complier has verified that the loop counter is within the boundaries of the array, no check on access is necessary. Provided the optimizer is good, there won't be any significant difference between the optimized code with mandatory checks and the code where all necessary checks are added manually.

      It can even be possible to allow real pointers and pointer arithmetic, have certain source-level compatibility with C, and still have the code which has all necessary checks and is not prone to buffer overflows. E.g. check out Cyclone, which was discussed on Slashdot some time ago.

    22. Re:Modularised code will always have this problem. by perrin · · Score: 4, Insightful

      > The real solution is to stop writing critical code
      > in C.

      Yeah. Right. It pisses me off that whenever security gets spoken of here, someone comes up with this pathetic magic fix.

      Look, for commonly used libraries like zlib, you can't code it in anything but C. That is because only a C library can be called from every other language out there. Code it in, say, Python, and suddenly you lost all but Python programmers. Same goes for almost everything else. Yay for reuse of code!

      Point in case - you write "for example OCaml which I prefer nowadays". Keyword 'nowadays'. What happens when you move on to the next big thing that comes along? Can you call libraries written in OCaml from that language? Extremely unlikely. But I bet it supports calling C libraries, because no serious language can avoid that.

      Lots can be done to make C code safer. For example using safe versions of all non-safe functions, and integrating with a proper security model in the OS to drop non-needed permissions. But dropping the only language that can share code with everything else out there is just silly.

    23. Re:Modularised code will always have this problem. by Geoffreyerffoeg · · Score: 3, Insightful

      That is because only a C library can be called from every other language out there.

      This is wrong. What you meant to say is that only a library using the C calling convention can be called from every other language out there. Heck, I can write libraries in Visual Basic of all possible languages, and still have them compile against a C program (on Windows, and I'm sure it'll work on other platforms if someone ports vbc). If a language can call C functions, then it is likely (with a little effort) to have functions called by C - or any language that can call "C".

      I haven't used Python or OCaml, but if either of those languages can produce C-style .lib's, .dll's, .so's, .obj's, whatever, then they'll work as well from C. I've seen libraries fully usable in C coded in Delphi, because Delphi designed its object file format to interface with C.

      What's more, you say that C can work with (at least as a library) every other language out there. So what's the problem with a small C-language interface that just calls the Python function and returns the result?

    24. Re:Modularised code will always have this problem. by Dun+Malg · · Score: 2, Funny
      Of course, the fact that djb writes secure software using exactly that technique means *you* probably need to rethink your assumptions.

      Get a clue, you anonymous turd. DJ Bernstein isn't working under the whip of a corporate master demanding working apps in murderous short timeframes. Furthermore, the existence of one brilliant man who can manage to keep enormous amounts of state in his head and turn out perfect code is not prima facie evidence that all who cannot are somehow lacking.

      Personally, my goal is always perfection. I know it's difficult and I don't always achieve it, but I gotta wonder about people like you who "aim low".

      Who the fuck said anything about "aiming low"? My point is that errors happen and that you can't just browbeat people into not making mistakes. You say it yourself: "I don't always achieve [perfection]".

      Unfortunately, giving people lectures doesn't teach them how to do this.

      THAT WAS EXACTLY MY POINT, JACKASS!

      In an industry with about zero barrier to entry, most software is going to be crap. Most programmers simply don't know what they are doing. But don't let that cloud your thinking. It *is* possible to write secure software exactly like you describe.

      It is possible, but the chaotic way most programming shops are run make it highly unlikely. Overwork, lack of sleep, poor communication, and shifting goals make errors inevitable. One brilliant man sitting down and writing qmail on his own time and at his own pace does not scale to ten overworked regular code grinders trying to crank out two months work in two weeks.

      If you think "writing secure software is impossible", you've already lost

      If you think that's what I said, go back and read it the fuck again. Your reading comprehension is as bad as your superiority complex.

      please get out of the industry, or at least don't write software that deals with network data.

      After you, you arrogant prick.

      --
      If a job's not worth doing, it's not worth doing right.
    25. Re:Modularised code will always have this problem. by m50d · · Score: 2, Informative
      I haven't used Python or OCaml, but if either of those languages can produce C-style .lib's, .dll's, .so's, .obj's, whatever, then they'll work as well from C.

      Python can't, at least without embedding the python interpreter in the dll.

      What's more, you say that C can work with (at least as a library) every other language out there. So what's the problem with a small C-language interface that just calls the Python function and returns the result?

      Any language supports calling C libraries from that language. You have to, because for many things the only library available is in C, and there are millions of C libraries. Not so many support calling that language libraries from C - why would they? A big part of their attractiveness is their extensive standard library.

      --
      I am trolling
    26. Re:Modularised code will always have this problem. by CharlesEGrant · · Score: 2, Informative
      jesus. i am glad the people who build bridges, dams, etc... don't have your attitude.
      The people who build dams, bridges, etc., don't simply tell the construction crew to be be careful. They know that mistakes will be made, so they create protocols to minimize the likelihood of mistakes, and to maximize the likelihood of finding the mistakes that are made. For example, an in-law who works in avionics tells me that in any cable run that carries multiple cables, the cables are required to have physically incompatible connectors. They could just tell the manufacturing crew to be careful, but they know from long experience that if two cables can be confused, they will be, so they do their best to make it physically impossible to do so.

      Personally, I work down a suite of tools to help ensure reliability:

      1. Use a language and run-time that enforces bounds checking and managed memory. This is not always practial because of performance issues.

      2. If I can't do that, use libraries that hide the complexity of managing memory (smart pointers, smart arrays, and the like). This is not entirely reliable because it depends on the discipline of the programmer.

      3. If I can't do that, I use tools like valgrind in conjunctgion with unit testing, so that l can find memory errors after the fact. This can't be completely trusted because it depends on the completeness of the test suite.

      4. Code carefully and cross my fingers.
  2. The patch, and the E-Week article and quote by alanw · · Score: 4, Informative
    Here's the patch to inftrees.c (found on Debian.org):
    $ diff -Naur inftrees.c ../zlib-1.2.2.orig/
    --- inftrees.c 2005-07-10 13:38:37.000000000 +0100
    +++ ../zlib-1.2.2.orig/inftrees.c 2004-09-15 15:30:06.000000000 +0100
    @@ -134,7 +134,7 @@
    left -= count[len];
    if (left < 0) return -1; /* over-subscribed */
    }
    - if (left > 0 && (type == CODES || max != 1))
    + if (left > 0 && (type == CODES || (codes - count[0] != 1)))
    return -1; /* incomplete set */

    /* generate offsets into symbol table for each length for sorting */
    And here's the E-Week article with the quote
    However, Ormandy said, "Zlib is very mature and stable, so development is sporadic, but it's certainly not dead. Mark Adler [a Zlib co-author] responded to my report with a patch and an in-depth investigation and explanation within 24 hours, and I believe he expects to release a new version of Zlib very soon."
    1. Re:The patch, and the E-Week article and quote by inflex · · Score: 2, Interesting

      I wonder if it'd be possible to create a binary patch for prebuilt binaries ?

      Anyone got some suggestions?

    2. Re:The patch, and the E-Week article and quote by Haeleth · · Score: 3, Informative

      I wonder if it'd be possible to create a binary patch for prebuilt binaries ?

      For specific builds of individual programs, trivial. There are dozens of good, fast, and robust binary patching systems available - xdelta, bsdiff, and jojodiff are three F/OSS options. Of course, bandwidth is cheap enough these days that most people who use binaries can just download the new version in its entirety.

      A general-purpose fix that could be applied to any application using a statically-linked zlib would be much harder, possibly even impossible. This is one of the major advantages of dynamic linking - that a security update to the library in question can automatically benefit any application that uses the library.

  3. Important: Use a safe browser by aussie_a · · Score: 4, Funny

    Because Firefox renders PNG completely, it is prone to these sort of errors. However there is one browser that won't need a patch issued to be safe from this bug, which is Internet Explorer. While IE can render PNG a little, it hasn't implemented the full technology. By using IE, you ensure that you will be safe from any bugs that arise from new technologies, such as PNG.

    So next time someone recommends a browser. Stop and wonder about what technology the latest browser has implemented properly without regard to any security issues, and remember that it will be decades before IE implements the technology (if it ever does) so it will be safe for quite some time, by being a stable browser that rarely changes.


    Mods: This is not an attempt at troll, but a parody of the typical "This is why you should switch to Firefox" posts whenever a vulnerability involving IE. It should be painfully obvious, but then again most of you are on crack.

    1. Re:Important: Use a safe browser by ratnerstar · · Score: 2, Funny

      Were you born without a sense of humor, or did you have it surgically removed?

      --
      Just because you sold your soul to the devil that needn't make you a teetotaler. --The Devil and Daniel Webster
  4. Already patched by Anonymous Coward · · Score: 4, Informative

    Both Debian and Ubuntu released the patch for this problem 2 days ago. I assume the other big names in the Linux world have or will follow suit shortly.

    1. Re:Already patched by i_like_spam · · Score: 2, Informative

      What took 'em so long?

      Gentoo announced the bug July 5th and had the patch a day later.

    2. Re:Already patched by udippel · · Score: 2, Informative

      004: SECURITY FIX: July 6, 2005

      On OpenBSD

  5. Not just IE by mikael_j · · Score: 2, Informative
    Not just IE on WinXP, Firefox works equally well with this website if you are looking for a BSOD. (I just had to try it).

    /Mikael

    --
    Greylisting is to SMTP as NAT is to IPv4
    1. Re:Not just IE by TekBoy · · Score: 2, Funny

      It is sites like that this that make Firefox's Session Saver extension a bad idea. I just had to click it. :-) Then firefox just had to restore it the next time loaded. :-0

      My stupidity squared.

  6. even on Microsoft Windows by Turn-X+Alphonse · · Score: 2, Funny

    even on Microsoft Windows

    NOT WINDOWS! I was just about to move to it from this Linux thing!

    --
    I like muppets.
  7. welcome to four days ago: [ GLSA 200507-05 ] by Anonymous Coward · · Score: 2, Informative

    http://forums.gentoo.org/viewtopic-t-356659.html

  8. Glad I'm running Linux. by yog · · Score: 3, Informative

    I'm running RHN alert notification on Fedora Core 3, and my version of zlib has already been updated with a patch for CAN-2005-2096, the zlib overflow bug.

    It's interesting to read about these as they occur, but it's a nice feeling that my operating system is so well taken care of. Too bad that all personal computers aren't set up for this kind of timely response. I wonder about those millions of library computers, home PCs, small business computers, and other institutional setups where no one even understands the concept of an update, let alone regularly runs the Windows "security" update program.

    Another reason to use Linux!

    --
    it's = "it is"; its = possessive. E.g., it's flapping its wings.
    1. Re:Glad I'm running Linux. by moonbender · · Score: 3, Insightful

      Are all the apps on your system that have zlib compiled into them statically patched, too? (Although I'm not sure if that's even an issue.)

      --
      Switch back to Slashdot's D1 system.
    2. Re:Glad I'm running Linux. by Vantage13 · · Score: 2, Informative
      In Debian for instance, there is one zlib package that everything uses

      Not entirely true. See this list from the debian-security mailing list for a few which are statically linked.

  9. Re:For those with IE on XP,2003 by smallstepforman · · Score: 2, Funny

    Opera 8.01 works fine. But what else would you expect from Scandinavians.

    --
    Revolution = Evolution
  10. A case for packaging systems by eldacan · · Score: 4, Insightful

    We've seen many posts on slashdot recently explaining why the packaging systems are no longer desirable (if they ever were), that dependencies are a PITA (even with systems à la APT), etc.
    But when you have a flaw in a very popular library like this, you'll be happy to know that all 354 programs using this library on your system will be safe once the shared library is upgraded... Windows users must upgrade every software manually, and they often won't be able to know precisely what software may be affected...

  11. If you link with zlib the right way, easy to fix by Ed+Avis · · Score: 4, Insightful

    And this, my friends, is why 'dependency hell' is a good thing. A flaw is found in zlib - no trouble, just run the normal update program that comes with your distribution, 'yum update' or whatever, the centrally installed zlib library will be updated, and all applications will start using it.

    The trouble comes with those software authors that wanted to be clever and to 'cut down on dependencies' and included a whole copy of zlib statically linked into their application. Now you have to replace the whole app to remove the zlib security hole. The dependency on zlib is still there, just better hidden, and in a way that makes upgrading a lot harder.

    If Microsoft had any sense, a zlib.dll would be bundled with Windows and then Office (and many other apps) could use it. But they wouldn't want to do that, partly because it would involve admitting that they use such third-party libraries.

    --
    -- Ed Avis ed@membled.com
  12. Perspective of non-C Programmers by putko · · Score: 4, Informative

    It is really something that this flaw impacts so many applications.

    This situation is unnecessary; the problem is that C is not a type-safe language, like ML, CAML, Haskell, Common Lisp, Scheme, Java, etc.

    You could write that code in SML/CAML/Common Lisp and likely get it to run as fast or faster than the original (particularly if you did some space/time tradeoffs ala partial evaluation). Integration with the applications in the form of a library would be the tough part.

    Here's a provocative bit from Paul Graham (Lisp expert entrepreneur) on buffer overflows.

    --
    http://www.thebricktestament.com/the_law/when_to_s tone_your_children/dt21_18a.html
    1. Re:Perspective of non-C Programmers by Florian+Weimer · · Score: 4, Informative

      Common Lisp (the language) is not completely safe, it permits unsafe constructs which can even lead to classic buffer overflows. Most implementations omit bounds checks which are not mandated by the standard when optimizing, so these problems can occur in practice.

    2. Re:Perspective of non-C Programmers by Anonymous Coward · · Score: 4, Informative

      the problem is that C is not a type-safe language

      Please. This is a very boring misconception about types. It's not a type error. It's a pointer arithmetic error. Nothing a type system à la ML, Java, CL, whatever would have corrected.

      However, mandatory bound checking on arrays, at runtime, in those languages would have caught the problem.

      There exist type systems that can catch these kind of errors, but they are very cumbersome, and not very practical.

    3. Re:Perspective of non-C Programmers by po8 · · Score: 4, Informative

      Why does this topic bring the, uh, technically challenged out of the woodwork?

      I'm a Ph.D. computer science professor with 20 years of experience in design and implementation of programming languages, and the co-author of a C-like programming language featuring static and dynamic typing and runtime operand checking. The parent poster is confused.

      Static type checking involves automatically recognizing type-unsafe operations at compile time. In many programming languages, including C, if you write"s" - 1 the + operation is ill-defined, because the left-hand operand is of the wrong type: i.e., there is no string that is a legal operation to the - operator. The compiler can detect this at compile time and refuse to compile the program.

      Dynamic type checking involves automatically recognizing type-unsafe operations at run time. In many programming languages, such as Python, if you write"s" - 1 inside a function definition, the compiler will not detect the problem, because the general problem of detecting this kind of error is unsolvable unless one restricts what programmers can write. Instead, the execution engine can detect the problem at runtime when the - is evaluated and refuse to continue executing the program.

      Runtime operand checking involves automatically recognizing at runtime that an operation has an operand that, while of a type that might be legal for the operation being performed, is nonetheless illegal for that operation. In many languages, including Python, if you write 1 / 0 no error will be reported at compile time, because detecting such errors is in general impossible. Instead, the execution engine can detect the problem at runtime, and prevent execution from continuing.

      (Of course, there also is such a thing as static operand checking, which bears the same relation to runtime operand checking that static type checking does to runtime type checking. This is a hot research topic right now.)

      C's problem is that it (a) does not have a "safe" static type system, (b) does not have any dynamic type checking, and (c) has no operand checking. This combination of misfeatures is incredibly and obviously error-prone; offhand, I can think of no other popular language (not derived from C) that is broken in this fashion. Fixing (a) and/or (b) is not sufficient---(c) also needs to be fixed. Java, for example, has shown that this can be done in a C-like compiled language without noticeable loss of efficiency. (This was shown for PL/I more than 30 years ago, so it's no surprise.)

      The parent post gives an example in which the index argument to an array dereference is of the correct type and has correct operands. If x[2] was evaluated, this would be an operand error, since the combination of arguments x and 2 is not a legal operand combination for the array dereference operator. With the statement as given in the parent post, I'm not sure what principle it was trying to illustrate. I think, though, that it doesn't much matter.

    4. Re:Perspective of non-C Programmers by po8 · · Score: 3, Interesting

      We're pretty badly off-topic here, but what the hey...

      C was first designed and implemented in the time period from 1969-1973. It is hardly a critique of its original designers and implementors that we have learned a lot about programming language design and implementation in the succeeding 30+ years, and that many of the constraints of the computing environment have been weakened or removed during that time. Indeed, some of the original designers of C and UNIX spent a lot of time 10+ years ago developing an alternative language and runtime for writing operating system and application code that fixes the problems with C that I described.

      "In fact, when you are coding things like process and memory mangement routines and libraries, it is very handy to be able to do arithmetic with and compare to variables that are not "exactly" the same type, if the comparison or operation otherwise makes sense. Hence, things like the boolean FALSE and integer 0 being equal (which Java will complain about) are handy."

      If by "handy", parent meant "tempting" but "error-prone" and "potentially insecure", I think there's about 30 years' experience to back up this claim. Things as fundamental or important as my operating system's process or memory management routines are occasionally broken in particularly dangerous ways because their programmer did something that seemed to "make sense" at the time, even though a "safe" programming language wouldn't allow it. Go look at the changelogs of a recent UNIX kernel for plenty of examples.

      "The lack of dynamic type checking, operand checking and bounds checking allows the programmer to write low level or system code that gets out of the way of higher level code." I'm sorry, but I don't know what this means.

      "Imagine the performance degradation at the kernel if every comparison was dynamically checked for type, operand and bounds." One would prefer that operations be checked statically whenever possible. This is not so much for performance as because failed runtime checks in low-level code are difficult to handle gracefully. That said, as I mentioned in my previous post on this topic, we have known for a long time how to build programming languages so that a combination of static and runtime type and operand checking will provide some correctness guarantees without signficantly impacting execution performance. IMHO, it's way past time to start using that knowledge.

  13. Re:Mods on crack!? by atrocious+cowpat · · Score: 3, Funny
    Mods: This is not an attempt at troll, but a parody of the typical "This is why you should switch to Firefox" posts whenever a vulnerability involving IE. It should be painfully obvious, but then again most of you are on crack.

    Slander! I only mod people down when I'm off crack!
    --
    sig? Oh, that sig...
  14. The answer is Defense in Depth by n0-0p · · Score: 3, Interesting

    Yes, both Visual C++ and the GCC ProPolice extensions provide stack and heap protection. And in general these techniques have a minimal impact on execution speed. Unfortunately, this does not solve the problem. There are still viable attacks that can be preformed by avoiding the stack canaries or heap allocation headers and overwriting other vulnerable data. The probability of developing a successful exploit is lower, but it's still there.

    I don't disagree that building secure applications is hard, but it's certainly not impossible. Modularized code just adds another layer of compilcation and potentially confusion. Most of this can be addressed by documenting the design and interface constraints, and ensuring that they're followed. At that point even most security vulnerabilities are primarily implementation defects. Defects will of course still occur, but the trick is to build systems that fail gracefully.

    Developers must to account for defects and expect that every form of security protection will fail given enough time and effort. This is why the concept of "Defense in Depth" is so important. By layering protective measures you provide a level of security such that multiple layers have to fail before a compromise becomes truly serious. Combine that with logging and monitoring, and a successful attack while usually be identified before damage is done.

    Take the above vulnerabiliy and assume it exists in an exploitable form in a web app running on Apache with a Postgres backend. If the server had been configured from a "Defense in Depth" perspective it would be running in a chroot jail as a low privilege account. Any database access required would be performed through a set of stored procedures or a middleware component that validates the user session and restricts data access. SELinux or GRSecurity would be used for fine grained user control on all running processes. All executables would also be compiled with stack and buffer protection.

    In the above scenario, you see that this single exploit wouldn't get you much. However, most systems are deployed with one layer of security, and that's the problem.

  15. very complex code by ep385 · · Score: 5, Interesting

    Has anyone read the zlib code? While the author clearly tried to make it readable it's still very complex and it's very hard to see at a glance or even after many glances where potential buffer overflow problems may exist (or even where it might fail to implement the deflate algorithm). C is great language for writing an operating system where all you care about is setting bits in a machine register but this algorithm really taxes its abilties.

    For comparison here is the deflate algorithm written in Common Lisp. It all fits neaty into a few pages. This is a far better language comparison example than the oft-cited hello world comparison.

  16. Is i my imagination... by MSDos-486 · · Score: 3, Funny

    or does it seem the end of the world will be caused by a buffer overflow?

  17. BSD Status by emidln · · Score: 5, Informative

    For the undead crowd out there:

    OpenBSD is affected, and was patched on the 6th of June
    FreeBSD is affected, and was patched on the 6th of June
    NetBSD base system is not affected, but a zlib from pkgsrc is, and was patched on the 8th of June

    1. Re:BSD Status by i_like_spam · · Score: 2, Informative

      Oops... You meant 'July', not June.

  18. Better yet... by Tyler+Durden · · Score: 2, Informative

    ...instead of looking for information on the NX bit from the buffer overflow page in Wikipedia, look up the thing specifically here. Yeah.

    --
    Happy people make bad consumers.
  19. Correct input validation is the key by timbrown · · Score: 4, Insightful

    It's all very good advocating the use of languages that mitigate against heap and stack overflows et al. But as the recent XML RPC vulnerability in PHP applications should reinforce, the bad guys are migrating to higher level language attacks too.

    The fundamental problem is that all too often, different components of a system have are implemented with different input validation. For example a web browser component running an web application may accept all text input, whereas the backend database is only expecting a subset of text inputs.

    Developers should establish what input the lowest level component and highest level components will require to get the job done and validate input into all components subject to these requirements. Where the lowest and highest level components have different requirements then the developer needs to define some method of encoding values that would otherwise be considered invalid, and ensure that all components enforce this encoding.

    --
    Tim Brown
  20. So, what's wrong with modularization? by mi · · Score: 2, Insightful

    If anything, this story is about how good modularization is. Simply updating one shared library (libz.so or zlib.dll) will fix the problem for all of your installed applications. No?

    --
    In Soviet Washington the swamp drains you.
    1. Re:So, what's wrong with modularization? by elflord · · Score: 2, Insightful
      If anything, this story is about how good modularization is

      Yes.

      Simply updating one shared library (libz.so or zlib.dll) will fix the problem for all of your installed applications. No?

      No. Some applications ship their own zlib and/or statically link to it, circumventing the benefits of modularity.

  21. Re:If you link with zlib the right way, easy to fi by macemoneta · · Score: 5, Interesting

    If the argument were that simple, static linking would never occur.

    The flip side of the argument is that installing a broken zlib will break all application that are dynamically linked, but have no effect on those that are statically linked.

    Remember too that an upgrade to a dynamically linked function means that proper testing must include all software that uses that function. A statically linked application can be tested as a standalone unit.

    The resulting isolation of points of failure and lower MTTR is often seen as an advantage in production environments.

    I remember this specific situation occurring in a production environment I worked in. A common library was updated, causing the failure of multiple critical applications. The ones not impacted? Statically linked.

    Both sides of the discussion clearly have advantages and disadvantages; they have to be weighed to determine the proper risk/benefit.

    --

    Can You Say Linux? I Knew That You Could.

  22. No... by Junta · · Score: 2, Interesting

    Not in the least bit, observe, just verified with ldd that Xorg and firefox have libz dynamically linked in on my system, which means on program restart, it will pick up the code from the shared library at runtime. It's the whole point of a dynamicly linked library.

    Now once upon a time, a lot of distributions (and open source projects out of the box even) would just static link in libz for some reason or another, but after some security issues in the past that caused massive headaches for package maintainers, that practice has largely ceased.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  23. Re:Der.. by Pius+II. · · Score: 2, Insightful

    A company of that size doesn't sneakily use 3rd party software.

    I see. That must be why they not only use zlib, but also remove the copyright strings.
    (Search for "microsoft")

  24. Re:despite being OSS... by djmurdoch · · Score: 3, Informative

    ...there has been no security audit that found this flaw. ...everybody's computers won't be automatically updated just because there is a patch that all total geeks love. ...the source haven't been read by all who uses it, and the flaw wasn't found.

    In fact, this flaw was found by a security audit of an open source project, not by any of the closed source projects (like Microsoft Office) that make use of it.

  25. Re:If you link with zlib the right way, easy to fi by eldacan · · Score: 2, Interesting

    The flip side of the argument is that installing a broken zlib will break all application that are dynamically linked, but have no effect on those that are statically linked.

    That's why some people like to use (say) debian stable in production environments: security fixes are backported to the well-tested version of the lib, making a breakage quite unlikely.

  26. Re:If you link with zlib the right way, easy to fi by NtroP · · Score: 2, Insightful
    [snip]We found this zlib bug close to 3 years ago at NASA IV&V duing Code Analysis for the SWIFT mission[/snip]
    If this was found 3 years ago why wasn't it patched? WTF is my money going to? I pay YOU to help forward human knowledge and understanding. I fully expect that if you are going to use my public code and find a flaw in it that you report it and maybe even provide a working patch for it!

    If your post isn't total bullshit, I'm pissed! I think there should be repercussions for this totally irresponsible attitude we see coming from NASA. When you say "the developers" I'm assuming you mean the developers of the SWIFT mission software, not the developers of zlib, because otherwise we wouldn't be seeing this article on Slashdot!

    If, for some reason this turns into another Sasser or Code Red, I think penalties aught to be sought against these fuckwads. Using OSS has responsibilities associated with it too, you know!

    --
    "terrorism" and "pedophilia" are the root passwords to the Constitution
  27. Zlib loaded with Spyware by yajacuk · · Score: 3, Funny
    I ran the AOL Spyware protection twice this week and both times I found spyware in the Zlib library.
    Here is a sample of the Scan log.
    ASP Version: 1.0.77 Definition Date: 01-05-05 Date: 7/6/2005 5:02:02 PM
    Action: Found: c:\Program Files\daimonin\client\zlib.dll
    Spyware Name: Diablo Keys
  28. Correct interface design. by argent · · Score: 2, Insightful

    Input is just one interface... every internal interface in a system also needs to be designed so that it only accepts known safe or encapsulated data, and if there's limits on safe input they need to be something that the upper layer can reasonably check without having to effectively replicate the component it's passing the data to.

    Let's say, for example, that this overflow involves a pathological artificially created compressed stream. To test for it, you may have to implement most of the algorithms in zlib. To test for it in an image file, you'd have to implement a decoder for that image format that would at least extract the compressed streams to pass to zlib... as well as implementing zlib.

    If the problem in the underlying component is a bug that involves the structure of a complexly encoded data stream, it can't really be described in the input or any internal interfaces. Which means that you're not going to catch it with input validation.

    Which means that while resiliant interface design is important, it's not going to be enough to block deep attacks. The only way to do that is to make the components themselves secure and resilient. And depending on input validation can cause problems, just ask anyone with an unusual surname.

  29. Yawn by ChiralSoftware · · Score: 3, Insightful
    As long as we're using unsafe languages to handle untrusted data, we will keep having these problemss.

    Zlib itself contains 8000 lines of code. Not very big, is it? It's been around for years and is widely used, so in theory a lot of people have been able to look at it. And yet, after all these years, they are still finding buffer overflows in these 8000 lines of code.

    Zlib was not written by monkeys. It was written by very smart, experienced coders. And yet somehow they are not able to write 8000 lines of code without multiple serious buffer overflows.

    As long as code like this is written in C we're going to have these problems.

    Saying, "there's a critical buffer overflow in a library written in C" is as newsworthy as saying "when I bang my head against the wall I get a headache."

  30. Re:If you link with zlib the right way, easy to fi by iabervon · · Score: 2, Informative

    This is really an argument for versioning dynamic libraries very carefully. The Linux dynamic linker has perfectly good support for avoiding problems like this. Each shared library has a "SONAME" field. Programs linked against the library should be able to use any later version of the library with the same SONAME. If the library changes in some way that breaks desireable behavior, it is supposed to get a new SONAME. The system keeps two sets of symlinks, in addition to the object files: libfoo.so is the latest version and libfoo.so.{version} is the latest version of a compatible series. When you link a program, you use the libfoo.so to find which series is newest. When you run a program, you use libfoo.so.{version}, so you get the newest compatible version.

    It sounds like the problem you had was that the common library version number wasn't changed when it should have been. If it had been changed, there would have been no effect on any of the existing programs, static or dynamic. Of course, for a two-line fix to a function which only changes the behavior of the library when dealing with corrupted files, and resulted in a buffer overflow instead of an error, the change won't break anything except attacks, so keeping the same SONAME is right.

    Note that you can see this by doing "ldd {program}", which will report how it looks for each library and what it finds. And you can see that zlib claims to be backwards compatible all the way through 1.x, while openssl is only to 0.9.7.

  31. Gentoo has it's place, too by excyl · · Score: 2, Informative

    Luckily there were some Gentooists recompiling their systems packages every so often, since the vulnerability was found by the Gentoo Linux Security Audit Team here. I've always thought the the more projects making use of the same library, as well as, the platforms a project is ported to eventually improves the quality and stability of the code. In this case the security was improved, but in general the abstracted parts of the code improve.

    --
    --Excyl
  32. Re:I love when this happens by DJ+Rubbie · · Score: 2, Informative

    What are you talking about? All I had to do was to rebuild zlib and restart apps that used zlib. Oh, I did that while I ssh back home from work, all I had to do was to fire off a couple commands to do the same fix as apt-get.

    Please, learn how a Linux/BSD system work, how linked/static binaries work before start critiquing other distributions with non-sense.

    --
    Please direct all bug reports to /dev/null