Re: [PATCH] zlib double-free bug

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "J.A. Magallon" <jamagallon@able.es>
To: paulus@samba.org
Cc: marcelo@conectiva.com.br, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] zlib double-free bug
Date: Mon, 18 Mar 2002 15:49:46 +0100	[thread overview]
Message-ID: <20020318144946.GA7052@werewolf.able.es> (raw)
In-Reply-To: <15509.51214.495427.580341@argo.ozlabs.ibm.com>


On 2002.03.18 Paul Mackerras wrote:
>Recently CERT published an advisory, warning about a bug in zlib where
>a chunk of memory could get freed twice, depending on the data being
>decompressed, which could potentially give a way to attack a system
>using zlib.  The reference is
>
>	http://www.cert.org/advisories/CA-2002-07.html
>
>All 3 of the versions of zlib in the current 2.4 kernel have this bug.
>The version in 2.5 doesn't because it handles memory allocation in a
>different way.
>
>The patch below fixes this bug in each of the three copies of zlib.c,
>in the same way that it is fixed in the zlib-1.1.4 release (basically
>by making sure that s->sub.trees.blens is always freed whenever, and
>only when, s->mode is changed from BTREE or DTREE to some other value).
>
>In the longer term I recommend that the 2.5.x changes to use a single
>copy of zlib in lib/zlib_{deflate,inflate} should be back-ported to
>2.4.  For now, this patch should be applied to 2.4.x since the bug is
>a potential security hole if you are using PPP with Deflate
>compression.
>

Someone posted it was here:

ftp://ftp.kernel.org/pub/linux/kernel/people/dwmw2/shared-zlib/

The only rest it leaves in 19-pre3 are:

./arch/ppc/boot/lib/zlib.c
./arch/ppc/boot/include/zlib.h

Patch already does:

--- linux-2.4.19-pre2-ac2/arch/ppc/config.in    Sun Mar  3 18:54:31 2002
+++ linux-2.4.19-pre2-ac2-zlib/arch/ppc/config.in   Tue Mar  5 08:57:31 2002
@@ -396,6 +396,8 @@
    source net/bluetooth/Config.in
 fi
 
+source lib/Config.in
+  
 mainmenu_option next_comment
 comment 'Kernel hacking'
 

So wouldn't it be better to kill ppc/.../zlib and make it use also the
shared copy ?

BTW, it is the ONLY file in arch/ppc/boot/lib, so whole dir could be killed
(at least in standard tree, do not know in ppc branch...)


-- 
J.A. Magallon                           #  Let the source be with you...        
mailto:jamagallon@able.es
Mandrake Linux release 8.2 (Bluebird) for i586
Linux werewolf 2.4.19-pre3-jam3 #1 SMP Fri Mar 15 01:16:08 CET 2002 i686

next prev parent reply	other threads:[~2002-03-18 14:50 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-03-18 10:57 [PATCH] zlib double-free bug Paul Mackerras
2002-03-18 14:49 ` J.A. Magallon [this message]
2002-03-18 15:15   ` Tom Rini
2002-03-18 16:36   ` David Woodhouse
2002-03-18 22:09     ` Paul Mackerras
2002-03-19 10:45       ` David Woodhouse
2002-03-19 13:53         ` David Woodhouse
2002-03-19 18:06         ` H. Peter Anvin
2002-03-19 19:14           ` Dave Jones
2002-03-19 19:36             ` H. Peter Anvin
2002-03-19 19:50               ` Dave Jones
2002-03-19 19:59                 ` H. Peter Anvin
2002-03-19 20:09                   ` Dave Jones
2002-03-19 20:35           ` Nicolas Pitre
2002-03-20  9:45             ` Helge Hafting
2002-03-20 14:45               ` Nicolas Pitre
2002-03-21 20:14                 ` H. Peter Anvin
2002-03-21 21:03                   ` Tom Rini
2002-03-21 21:21                     ` Tom Rini
2002-03-21 22:13                     ` Alan Cox
2002-03-22  0:06                       ` Corey Minyard
2002-03-22  7:26                         ` David Woodhouse
2002-03-20 15:59               ` Martin Hermanowski
2002-03-20 16:17                 ` Tom Rini
2002-03-19  5:01 ` Paul Mackerras

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20020318144946.GA7052@werewolf.able.es \
    --to=jamagallon@able.es \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marcelo@conectiva.com.br \
    --cc=paulus@samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.