You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Ryan Bloom <rb...@covalent.net> on 2002/03/12 00:41:13 UTC

FW: zlib vulnerability

We should probably do something about this, but I'm not sure what.

Ryan

----------------------------------------------
Ryan Bloom                  rbb@covalent.net
645 Howard St.              rbb@apache.org
San Francisco, CA 

-----Original Message-----
From: GOMEZ Henri [mailto:hgomez@slib.fr] 
Sent: Monday, March 11, 2002 3:54 PM
To: Ryan Bloom
Subject: zlib vulnerability

Hi Ryan,

Sorry to disturb you but a quick note to warn you
about a vulnerability in zlib (which may be used in 
Apache 2.0 code).

http://www.gzip.org/zlib/advisory-2002-03-11.txt

Regards

-
Henri Gomez                 ___[_]____
EMAIL : hgomez@slib.fr        (. .)                     
PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6

Re: FW: zlib vulnerability

Posted by "Victor J. Orlikowski" <vj...@dulug.duke.edu>.

Should not matter, unless we staticly link in zlib somewhere.
Dynamic linked apps using zlib are fine with a zlib upgrade.

Victor
-- 
Victor J. Orlikowski   | The Wall is Down, But the Threat Remains!
==================================================================
orlikowski@apache.org  | vjo@dulug.duke.edu | vjo@us.ibm.com

Re: FW: zlib vulnerability

Posted by Greg Stein <gs...@lyra.org>.

Recommend that people upgrade, but the vulnerability is *VERY* small. This
is merely talking about corruption of malloc structures. To map that into an
*application* is practically impossible. It highly depends upon the sequence
of malloc() calls, sizes, etc.

IOW, we do nothing but recommend zlib 1.1.4. As an aid, we could have an
autoconf test for the version and issue a warning. But I don't see code
changes needed.

Cheers,
-g

On Mon, Mar 11, 2002 at 03:41:13PM -0800, Ryan Bloom wrote:
> We should probably do something about this, but I'm not sure what.
> 
> Ryan
>...
> -----Original Message-----
> From: GOMEZ Henri [mailto:hgomez@slib.fr] 
> Sent: Monday, March 11, 2002 3:54 PM
> To: Ryan Bloom
> Subject: zlib vulnerability
> 
> Hi Ryan,
> 
> Sorry to disturb you but a quick note to warn you
> about a vulnerability in zlib (which may be used in 
> Apache 2.0 code).
> 
> http://www.gzip.org/zlib/advisory-2002-03-11.txt
> 
> Regards
> 
> -
> Henri Gomez                 ___[_]____
> EMAIL : hgomez@slib.fr        (. .)                     
> PGP KEY : 697ECEDD    ...oOOo..(_)..oOOo...
> PGP Fingerprint : 9DF8 1EA8 ED53 2F39 DC9B 904A 364F 80E6 

-- 
Greg Stein, http://www.lyra.org/

Re: FW: zlib vulnerability

Posted by Greg Stein <gs...@lyra.org>.

On Tue, Mar 12, 2002 at 12:14:14AM -0800, Justin Erenkrantz wrote:
> On Mon, Mar 11, 2002 at 08:28:11PM -0500, Jeff Trawick wrote:
> > "Ryan Bloom" <rb...@covalent.net> writes:
> > 
> > > We should probably do something about this, but I'm not sure what.
> > 
> > I thought the zlib vulnerability was in the decompress path.
> > mod_deflate doesn't decompress.
> 
> Yup.  Adler mentioned here on-list that there was a memory leak
> when using the decompression routines.  I'm wondering if that has
> something to do with this vulnerability.  
> 
> But, yes, I'd say mod_deflate wouldn't be affected unless/until
> we add input-filtering support.  (I think SVN might like this
> at some point.)  -- justin

Yessir!

It would help whenever a new file is added. Regular commits, though, are
sent as small patches, so the to-server direction is usually pretty light,
bandwidth-wise.

Cheers,
-g

-- 
Greg Stein, http://www.lyra.org/

Re: FW: zlib vulnerability

Posted by Justin Erenkrantz <je...@ebuilt.com>.

On Mon, Mar 11, 2002 at 08:28:11PM -0500, Jeff Trawick wrote:
> "Ryan Bloom" <rb...@covalent.net> writes:
> 
> > We should probably do something about this, but I'm not sure what.
> 
> I thought the zlib vulnerability was in the decompress path.
> mod_deflate doesn't decompress.

Yup.  Adler mentioned here on-list that there was a memory leak
when using the decompression routines.  I'm wondering if that has
something to do with this vulnerability.  

But, yes, I'd say mod_deflate wouldn't be affected unless/until
we add input-filtering support.  (I think SVN might like this
at some point.)  -- justin

Re: FW: zlib vulnerability

Posted by Jeff Trawick <tr...@attglobal.net>.

"Ryan Bloom" <rb...@covalent.net> writes:

> We should probably do something about this, but I'm not sure what.

I thought the zlib vulnerability was in the decompress path.
mod_deflate doesn't decompress.

-- 
Jeff Trawick | trawick@attglobal.net | PGP public key at web site:
       http://www.geocities.com/SiliconValley/Park/9289/
             Born in Roswell... married an alien...