Reliability Fix - zlib patch released

Contributed by grey on 2004-08-30 from the prompt patch posting dept.

Thanks to those who wrote in to let us know about this reliability fix. Hans puts it nicely:

Looks like you can crash applications through zlib again, and OpenBSD has promptly released an applicable patch. The vulnerability is caused due to insufficient error handling in the functions "inflate()" and "inflateBack()". 3.5 patch here: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/017_libz.patch.

Of course, be sure to check http://www.openbsd.org/errata.html for additional details. The word from Brad Smith is that 3.4 is unaffected.

(Comments are closed)

Comments

By Bert (203.215.101.75) on 2004-08-30 17:21

rebuild /sbin? what necessary applications in src/sbin that are linked against libz? i think there is no necessary programs in /bin that are statically linked against libz :-)
Comments
1. By grey (207.215.223.2) on 2004-08-30 17:27
  
  Good catch, I've removed that comment from the posting so as to avoid confusion.
  Comments
  1. By Norbert P. Copones (203.215.101.75) http://www.feu-nrmf.ph/norbert/ on 2004-08-30 17:35
    
    thanks a lot :-)
2. By Brad (216.138.200.42) brad at comstyle dot com on 2004-08-30 17:32
  heh, just noticed your comment. ya, I had grey fix this since its true that nothing in /sbin is linked with zlib. with regard to the base system the only pieces that appear to be linked against zlib are...
  
  gnu/usr.bin/cvs libexec/spamd-setup usr.bin/compress usr.bin/grep usr.bin/ssh usr.sbin/ppp
  
  and they're all dynamically linked. if you're on a static arch (hppa, vax, mvme88k) then you'll have to recompile them.
  Comments
  1. By Norbert P. Copones (203.215.101.75) on 2004-08-30 17:39
    
    And do I have to recompile the kernel too? Since the same file changes applies in the kernel code too.
    
    Comments
    
    By Brad (216.138.200.42) brad at comstyle dot com on 2004-08-30 17:47
    
    No, the copy in sys/lib/libz is only used for the boot blocks. The copy of zlib used in the kernel is in sys/net/zlib.c and this is an older version not affectd by this issue with the newer implementation of inflate in zlib 1.2.x.
  2. By hans (137.186.220.128) on 2004-08-30 18:35
    
    erm, grepping along I see yer right, thanks for jumping on that..
  3. By van (81.1.215.2) on 2004-08-31 07:39
    
    Sorry for just a dumb question, but what about those not in a base system, i.e. ports? Is there any method to find and rebuild installed ports that are statically linked against zlib?
    
    Comments
    
    By van (81.1.215.2) on 2004-08-31 07:44
    
    ...of course, if such a necessity exists at all.
By Ian McWilliam (220.240.54.229) on 2004-08-31 08:06

Why does the patch on the ftp site only contain the fix for userland libz and not the kernel's libz as well? It is updated in the stable branch for the kernel.
Comments
1. By Otto (213.84.84.111) otto@drijf.net on 2004-08-31 09:23 http://www.drijf.ney
  
  It is nothing new for the stable branch to contain more than covered by the patches.
  Patches are only released for things that are considered critical. We want to keep the number of patches and the amount of code affected as small as possible.
  The stable branches also contain stuff that is important, but not as critical.
  The userland libz is used to process foreign files; files that come from potentially untrusted sources on the net. The kernel libz is only used for boot code, which processes local, trusted files. So that makes the kernel libz fix not as critical as the userland libz fix.
  Comments
  1. By Ian McWilliam (220.240.54.229) on 2004-08-31 10:57
    
    I know there is a better place for this discussion but I wonder...... sys/net/ppp_deflate.c * ppp_deflate.c - interface the zlib procedures for Deflate compression * and decompression (as used by gzip) to the PPP code. * This version is for use with mbufs on BSD-derived systems. Wonder if there are actually more places zlib is used in-kernel???
    
    Comments
    
    By Otto (213.84.84.111) otto@drijf.net on 2004-08-31 11:22 http://www.drijf.net
    
    Yes
    
    $ cd /usr/src/sys $ grep -lr inflate .
    
    By Brad (216.138.200.42) brad at comstyle dot com on 2004-08-31 17:37
    
    Yes, it is, but not the same copy of zlib as you're refering to. Read what I previously said... "The copy of zlib used in the kernel is in sys/net/zlib.c and this is an older version not affectd by this issue with the newer implementation of inflate in zlib 1.2.x."

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]