Software Bug Could Threaten Security Of Linux Systems

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/175117.html

By Brian Krebs, Newsbytes
WASHINGTON, D.C., U.S.A.,
11 Mar 2002, 5:03 PM CST
 
The Linux community today announced the discovery of a flaw in a
common system library file that could compromise the security of
nearly every flavor of the open-source operating system in use today.

The vulnerability is tied to "zlib," a memory compression and
decompression tool that is used by hundreds of program packages in
Linux, including the Mozilla Web browser and the distribution's
"kernel," code that comprises the core of the operating system.
 
The trouble with zlib is that it is vulnerable to an error when
uncompressing data that allows memory to be freed more than once – or
"double-freed."

Such an event can interfere with the way programs allocate memory,
resulting in program crash or denial-of-service condition, at best.

At worst, a malicious programmer could design code for a file format
that relies on zlib – such as "png," an image format. Such a file,
included in a Web page and read by the Mozilla Web browser, could
crash the program, or allow the attack to take complete control of the
affected system.

"We worked out pretty quickly that this was a fairly serious issue,"  
said Mark Cox, senior director of engineering for Red Hat Inc., of
consultations with the developers who discovered the problem - Owen
Taylor and Matthias Clasen. "We decided there's no way we could
address this issue without bringing CERT into it."

CERT, short for the government-funded Computer Emergency Response Team
(CERT) at Carnegie Mellon University in Pittsburgh, is responsible for
alerting industry and the public of widespread computer and software
security holes.

According to a preliminary CERT release, the vulnerability is not
limited to Linux. The zlib library is freely available and is used by
many vendors by a variety of applications and manufacturers, including
IBM. Dozens of other computer and software system makers are still
testing their systems, CERT notes.

So far, no known exploit is available for this particular
vulnerability, and the various Linux distributions have already begun
releasing an updated zlib version to replace the vulnerable one.

But security experts are warning that malicious hackers are unlikely
to be able to resist developing an exploit for a security hole that
could affect such a vast number of systems.

"The problem is certainly urgent, but this is a simple fix," Cox said.  
"If people take care of it now, there won't be any vulnerability for
others to exploit down the road."

The CERT advisory is at http://www.kb.cert.org/vuls/id/368819



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.