Users login

Create an account »


Users login

Home » Hacking News » CLA-2002:469-zlib


by Nikola Strahija on March 15th, 2002 zlib version 1.1.3 and lower of this library have a vulnerability[5] which can be used by an attacker (local or remote, it depends on the service being targeted) to cause a Denial of Service condition in most cases, or, in the worst case, possibly execute arbitrary code.

With a carefully crafted compressed stream of data it is possible
to make the library attempt to free the same pointer twice, which
will cause the affected program to exit abnormally in most cases.
However, it has already been demonstrated[7] that a double free()
can be used in certain conditions to execute arbitrary code.

Originally reported by Steven Sawkins to the authors for the 1.1.3
version of the library, the problem was initially not deemed a
security vulnerability.

More recently this issue was brought up again[4], this time by
Matthias Clasen, and its security impact was realized after an
analysis done by Owen Taylor.

This update also addresses another problem[8] found by Ethan Benson
in the rsync program. He found out that rsync fails to drop root's
groups when switching to another uid/gid.

Several hundred programs use zlib nowadays. There are basically three
scenarios that will have to be taken into account for this update,
besides having to update zlib itself, of course:

a) services or programs which link dinamically with zlib. In this
case, it is enough to update zlib and, IMPORTANT, restart all these
services after updating the library. A quick way to check for these
services is to issue the following command as root (the lsof package
has to be installed):

lsof | grep libz

The first column shown by this command will be the name of the
process that will have to be restarted. A few examples of processes
that would have to be restarted if they were running are openssh,
snort, mysql and others. If there is any doubt about which processes
will have to be restarted, then it is best to reboot the machine.

b) services or programs which link to the static version of zlib.
These programs will have to be relinked against the fixed zlib
package in order to remove the vulnerability. Such programs in the
distribution were recompiled and are being updated through this
advisory. "rpm" is such a case. In other cases, such as with the
"vnc" package, the package was modified to use the dynamic version of
the library, but it will have to be updated anyway.

c) services or programs which, for one reason or the other, include
and use their own copy of the zlib library instead of using the
system provided one. In this case, that specific program or service
will have to be patched and recompiled. Examples of this situation
are rsync, gcc and the kernel. Another solution which is possible
with some packages is to patch them to use, from now on, the system
dynamic version of zlib. In any case, all such programs have to be
updated individually, just updating the system zlib is again not

A few packages are not being updated through this advisory: kernel
and netscape. Netscape will be updated as soon as a new binary
version is released, and the kernel will be updated shortly.

With the above scenarios in mind, we recommend the following update

- apt-get users can proceed as usual. After apt upgrades the
necessary packages, restart the services as described in a), and also
restart any other service that was upgraded if it was already

- users with a version of the distribution which does not support
apt-get (CL

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »