– By Grant Gross
A buffer overflow vulnerability affecting the PPP code in the Linux kernel, Netscape and up to 20 packages in some Linux distributions has been found in the popular compression library zlib. The potential is for crackers to gain remote access to computer systems using zlib, but a fix is available.
Dave Wreski, corporate manager for Open Source security company Guardian Digital and publisher of LinuxSecurity.com, says there’s no known exploit for the vulnerability, but it’s a serious issue because of the sheer number of programs relying on zlib or a variant of it statically linked into their binaries.
“That means that you can’t just rebuild or fix zlib and then reboot the system and have it re-dynamically link against the library,” Wreski says. “You have to actually recompile the binary.”
LinuxSecurity.com has posted an article with links to security advisories and other information and an an advisory to Guardian Digital’s EnGarde Linux, including a fix for the six affected packages in EnGarde. Quoting that advisory: “The zlib shared library may attempt to free() a memory region more than
once, potentially yielding a system exploitable by certain programs that
use it for decompression. Because certain packages include their own
zlib implementation or statically link against the system zlib, several
packages need to be updated to properly fix this bug.”
Packages affected also include X11, rsync and programs that do network compression, Wreski says. Netscape includes network compression in its Navigator package.
“The potential is certainly for root compromise,” Wreski says. “Because it’s network compression, it’s conceivable that it could be a remote root exploit as well.” For example, if you were using Netscape and connected to a Web site with malicious code, you could be vulnerable, he adds.
Linux vendors and the CERT Coordination Center are working together get the word out about the vulnerability.