From owner-freebsd-security Tue Mar 12 7: 3:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id D9A4037BEC6; Tue, 12 Mar 2002 06:54:19 -0800 (PST) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id E7B6C44; Tue, 12 Mar 2002 08:53:37 -0600 (CST) Received: (from nectar@localhost) by madman.nectar.cc (8.11.6/8.11.6) id g2CErbX36079; Tue, 12 Mar 2002 08:53:37 -0600 (CST) (envelope-from nectar) Date: Tue, 12 Mar 2002 08:53:37 -0600 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.ORG Cc: jedgar@FreeBSD.ORG, green@FreeBSD.ORG Subject: zlib and FreeBSD (was Re: RedHat advisory - RHSA-2002:026-35 zlib double free -- Is this 4.5-R-p1?) Message-ID: <20020312145337.GB35955@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG, jedgar@freebsd.org, green@freebsd.org References: <20020311154424.A22882@sheol.localdomain> <64040.1015886430@critter.freebsd.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <64040.1015886430@critter.freebsd.dk> User-Agent: Mutt/1.3.27i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In addition to Poul-Henning's information below, the zlib bug was also patched in the security branches around February 22nd ``just in case.'' Likewise, similar code in the kernel was fixed (sys/net/zlib.c). Hmm, I just noticed that for some reason, the fixes don't seem to have been committed to -CURRENT or -STABLE. Maybe Chris had a reason for this. It may be a moot point soon, as Brian has recently imported the new (fixed) zlib into -CURRENT, and I imagine he will merge it into -STABLE before long. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se On Mon, Mar 11, 2002 at 11:40:30PM +0100, Poul-Henning Kamp wrote: > ============================================================================ > From: Poul-Henning Kamp > Subject: the zlib double free bug > To: security-officer@freebsd.org > Message-Id: <58959.1015884837@critter.freebsd.dk> > Date: Mon, 11 Mar 2002 23:13:57 +0100 > > > As author of our malloc(3) it is my opinion that we are not vulnerable to > this (kind of) bug. > > Most mallocs keep their housekeeping data right next to the allocated > range. This gives rise to all sorts of unpleassant situations if > programs stray outside the dotted line, free(3) things twice or > free(3) modified pointers. > > phkmalloc(3) does not store housekeeping next to allocated data, > and in particular it has code that detects and complains about > exactly the kind of double free this advisory talks about: > > critter phk> cat a.c > main() > { > char *p; > > p = malloc(256); > p = malloc(256); > free(p); > free(p); > } > critter phk> make a > cc -O -pipe a.c -o a > a.c: In function `main': > a.c:7: warning: assignment makes pointer from integer without a cast > a.c:8: warning: assignment makes pointer from integer without a cast > critter phk> ./a > a in free(): error: chunk is already free > Abort (core dumped) > critter phk> > > The malloc flag 'A' determines if the situation is just warned about > or if the program should call abort(3). > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message