|
Home > Archive > Anonymous Servers > July 2005 > zlib "inftrees.c" Buffer Overflow Vulnerability
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
zlib "inftrees.c" Buffer Overflow Vulnerability
|
|
| Thomas J. Boschloo 2005-07-11, 5:47 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
<http://secunia.com/advisories/15949/>
Guess it also affects PGP and GnuPG.
/////
9.3. Compression Algorithms
ID Algorithm
-- ---------
0 - Uncompressed
1 - ZIP (RFC 1951)
2 - ZLIB (RFC 1950)
100 to 110 - Private/Experimental algorithm.
Implementations MUST implement uncompressed data. Implementations
SHOULD implement ZIP. Implementations MAY implement ZLIB.
/////
Note that RFC 1991 uses ZIP only! (fortunately) So those versions might
be safe from this bug.
Remailer servers should consider not using (Open)PGP for decryption and
should consider removing the 'C' from their mixmaster capabilities.
I guess they could also consider shutting down and appling the (ZLib
1.2.3??) patch before decrypting any new traffic waiting in the pools.
I wonder who will update the CKT builds against this..
This bug is serious guys..
Thomas
- --
Life is like a videogame with no chance to win - ATR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQB5AwUBQtKC+QEP2l8iXKAJAQG97wMgpDUUTvfs
StZ2e8ZkbJ6ryv69+7GPm9fH
HJiZmK67UWDJsmOYwQREoUumiwn2bARxQMcMZ7Bf
1umz+zPH44+J6PPCQABu9RuH
gVPX1XBrQADEU2KZtOzTxPVjHvuY5EQsl9kv8g==
=/RCL
-----END PGP SIGNATURE-----
| |
|
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
["Followup-To:" header set to alt.privacy.anon-server.]
On Mon, 11 Jul 2005 16:32:25 +0200, Thomas J. Boschloo wrote in
Message-Id: <42d282d2$0$11989$e4fe514c@news.xs4all.nl>:
> I guess they could also consider shutting down and appling the (ZLib
> 1.2.3??) patch before decrypting any new traffic waiting in the pools.
Hi Thomas,
There is no released patch for this bug as yet. As a serious security
fix, no doubt it will make it's way out to *nix packages very rapidly
once one is available.
> This bug is serious guys..
Yes, but so far as I can tell, not life threatening. 
As I understand it, the bug could cause an application to crash by
overwriting and corrupting memory. This is serious, but from the
perspective of Gnupg and Remailers it's not going to decode messages and
email passphrases to the FBI. The danger level is not sufficient to
warrent the immediate shutting down of services IMO. Hopefully things
will hang together until a patch is available.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iQEVAwUBQtKGr2oLu9HNUqmMAQrN2QgAkotoSnF2
XxKPnDiUQ07dBQEedda2BjIA
0h4tXPxIAVZym5CZHRSZdQBhKII7YT/EiEnSTeUBgo/iecCn7sir3V6Rk7NGeRMv
vnZcf4rML19rFMC/Kt5sBsKWUKeER6lD/IxxrVUmEpTjXeI0QXRqsVBVEGDAtiLn
yjTsOv13HQbuvNkfoy/ lfJAISTz5lAuPPbZM4gYd+wJcGtPqma1RTa21kJf
kLeum
9Yyhn3nmkDqRrDF950ymC8MnTWafVYz61HBjNvvI
KfnichR0Lkmbn0LgV+CvQZal
6d8iYvvdLDZN7WAJuCX650zXK4L90HRmMdqqi3d8
e030HPDJXZzRTQ==
=RMOR
-----END PGP SIGNATURE-----
--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>
| |
| Thomas J. Boschloo 2005-07-11, 5:47 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Zax schreef:
> On Mon, 11 Jul 2005 16:32:25 +0200, Thomas J. Boschloo wrote in
> Message-Id: <42d282d2$0$11989$e4fe514c@news.xs4all.nl>:
>
>
>
>
> Hi Thomas,
> There is no released patch for this bug as yet. As a serious security
> fix, no doubt it will make it's way out to *nix packages very rapidly
> once one is available.
http://www.us-cert.gov/cas/bulletins/SB05-188.html#zlib talks about a
possible exploit that would allow executing arbitrary code..
This page also has links to updates for Debian, FreeBSD, Gentoo, SUSE
and Ubuntu (never heard of Gentoo nor Ubuntu).
The NSA probably has the expertise to write such an exploit and secretly
extract private remailer keys with it.. They have had since Thursday to
do so..
High regards,
Thomas
- --
Life is like a videogame with no chance to win - ATR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQB5AwUBQtKLAwEP2l8iXKAJAQGzbAMgt45k5hv9
lW/7iIkBXW3+0YVe82tERVfV
Gf66z02bGCpRmKT0XNIH6fzd/UBeALomVz1EZZf4tWDZuVGN6yP+oe5oVyXN85Ok
oDdcp6epZUpyjFfHwjtgqIZYELps/N+RdNK+bg==
=IhIO
-----END PGP SIGNATURE-----
| |
| David W. Hodgins 2005-07-11, 5:47 pm |
| On Mon, 11 Jul 2005 11:06:43 -0400, Thomas J. Boschloo <nospam@hccnet.nl> wrote:
> http://www.us-cert.gov/cas/bulletins/SB05-188.html#zlib talks about a
> possible exploit that would allow executing arbitrary code..
According to http://www.zlib.net/ the exploit cuases overwriting of
memory that follows the internal inflate state. They state it may cause
programs to crash, but does not say anything about remote code execution.
> This page also has links to updates for Debian, FreeBSD, Gentoo, SUSE
> and Ubuntu (never heard of Gentoo nor Ubuntu).
Gentoo and Ubuntu are linux distributions ...
http://www.gentoo.org/
http://www.ubuntulinux.org/
> The NSA probably has the expertise to write such an exploit and secretly
> extract private remailer keys with it.. They have had since Thursday to
> do so..
Standard risk assesment should be applied here. What are you hiding, and
who's likely to be trying to get it.
Regards, Dave Hodgins
--
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
| |
| Thomas J. Boschloo 2005-07-11, 5:47 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
David W. Hodgins schreef:
> On Mon, 11 Jul 2005 11:06:43 -0400, Thomas J. Boschloo
> <nospam@hccnet.nl> wrote:
>
>
>
> According to http://www.zlib.net/ the exploit cuases overwriting of
> memory that follows the internal inflate state. They state it may cause
> programs to crash, but does not say anything about remote code execution.
Also note that they haven't got a patch ready yet, which they would only
need to copy from any of the sites in the cert advisory.. (just fixing a
single buffer I guess).
>
>
> Gentoo and Ubuntu are linux distributions ...
> http://www.gentoo.org/
> http://www.ubuntulinux.org/
I guessed that much.
>
>
> Standard risk assesment should be applied here. What are you hiding, and
> who's likely to be trying to get it.
See my other post on this..
Thomas
- --
Life is like a videogame with no chance to win - ATR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQB5AwUBQtLFDgEP2l8iXKAJAQH+egMgk3j+Puc8
M97LjaGGmk+Zo+xLuixnCC12
N8aiRhEqPyJCe1i5ZGB+gUGc0IXOvqWePWkGlYVA
Il9q7AdUupJBt6fiKbjFIp+R
kgW9Gjkp+XB9YUvpWy/OaCvi9uAgrn7Z25pjSw==
=QgSv
-----END PGP SIGNATURE-----
|
|
|
|
|