Date: Tue, 12 Mar 2002 08:53:37 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.ORG> To: freebsd-security@FreeBSD.ORG Cc: jedgar@FreeBSD.ORG, green@FreeBSD.ORG Subject: zlib and FreeBSD (was Re: RedHat advisory - RHSA-2002:026-35 zlib double free -- Is this 4.5-R-p1?) Message-ID: <20020312145337.GB35955@madman.nectar.cc> In-Reply-To: <64040.1015886430@critter.freebsd.dk> References: <20020311154424.A22882@sheol.localdomain> <64040.1015886430@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
In addition to Poul-Henning's information below, the zlib bug was also patched in the security branches around February 22nd ``just in case.'' Likewise, similar code in the kernel was fixed (sys/net/zlib.c). Hmm, I just noticed that for some reason, the fixes don't seem to have been committed to -CURRENT or -STABLE. Maybe Chris had a reason for this. It may be a moot point soon, as Brian has recently imported the new (fixed) zlib into -CURRENT, and I imagine he will merge it into -STABLE before long. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se On Mon, Mar 11, 2002 at 11:40:30PM +0100, Poul-Henning Kamp wrote: > ============================================================================ > From: Poul-Henning Kamp <phk@freebsd.org> > Subject: the zlib double free bug > To: security-officer@freebsd.org > Message-Id: <58959.1015884837@critter.freebsd.dk> > Date: Mon, 11 Mar 2002 23:13:57 +0100 > > > As author of our malloc(3) it is my opinion that we are not vulnerable to > this (kind of) bug. > > Most mallocs keep their housekeeping data right next to the allocated > range. This gives rise to all sorts of unpleassant situations if > programs stray outside the dotted line, free(3) things twice or > free(3) modified pointers. > > phkmalloc(3) does not store housekeeping next to allocated data, > and in particular it has code that detects and complains about > exactly the kind of double free this advisory talks about: > > critter phk> cat a.c > main() > { > char *p; > > p = malloc(256); > p = malloc(256); > free(p); > free(p); > } > critter phk> make a > cc -O -pipe a.c -o a > a.c: In function `main': > a.c:7: warning: assignment makes pointer from integer without a cast > a.c:8: warning: assignment makes pointer from integer without a cast > critter phk> ./a > a in free(): error: chunk is already free > Abort (core dumped) > critter phk> > > The malloc flag 'A' determines if the situation is just warned about > or if the program should call abort(3). > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020312145337.GB35955>