Security - could someone explain?

Johan Bergström johbe at linux.se
Tue Mar 12 19:49:41 EST 2002 

Yes, there is a securityrisk with the zlib (compression library) bug. If
you run debian read http://security.debian.org and do what they tell you.
If you then run apt-get update && apt-get upgrade -y every day, you dont
need to worry much. All holes are fixed within a week, this special bug
took about a day to get fixed. The last ssh bug took about 12 hours until
there was a fix in debian for it. There are *lots* of bugs out there. If
you really want to protect yourself from evil blackhats, setup a firewall
and shut off every port you dont use, and shut down services you dont use
and read security howtos.

If you run any other dist than debian, you'll have to use their
update/upgrading tools, or upgrade manually which can be a heckofa job if
you have meny binaries statically linked against zlib.

On Tue, 12 Mar 2002, Georgina wrote:

> Hi
>
> Soneone has forwarded this on from another list and I wondered if
> there's a serious risk?
>
> From:    "Martin Roberts" <martin at mproberts.co.uk>
> Subject: FW: (Access-UK) - Flaw leaves Linux computers vulnerable
> Date:    Tue, 12 Mar 2002 10:22:50 +0000
>
>
> -----Original Message-----
> From: Dj Paddy [mailto:t.toner at ntlworld.com]
> Sent: 12 March 2002 01:01
> To: Dj Paddy
> Subject: (Access-UK) - Flaw leaves Linux computers vulnerable
>
>
> Flaw leaves Linux computers vulnerable
>
> By
> Robert Lemos
> Staff Writer, CNET News.com
> March 11, 2002, 2:10 PM PT
>
> update A flaw in a software-compression library used in all versions of
> Linux could leave the lion's share of systems based on the open-source
> operating
> system open to attack, said sources in the security community on Monday.
>
> Several other operating systems that use open-source components are
> vulnerable too varying degrees as well.
>
> The software bug--known as a double-free vulnerability--causes key
> memory-management functions in the zlib compression library to fail, a
> condition that
> could allow a smart attacker to compromise computers over the Internet, said
> Dave Wreski, director for open-source security company Guardian Digital.
>
> flashframe frame
>
>  frame
> They came in search of better software.
> They came in search of better software.
>  frame end
> flashframe frame end
>
> "It is just a matter of time before an exploit is developed," Wreski said.
>
> The flaw, discovered by Linux user Matthias Clasen and Owen Taylor, an
> engineer at Linux-software company Red Hat, affects any Linux program that
> uses the
> zlib library for decompression, including the core software of the operating
> system, the kernel.
>
> Because the problem is in a library--a set of code that can be shared by any
> application that links to it--multiple programs could be affected by the
> flaw.
> In fact, many non-Linux operating systems use the library, making them
> vulnerable as well, said Mark Cox, senior director of engineering at Red
> Hat.
>
> "Zlib is used on all sorts of operating systems: the BSDs and even Solaris,"
> Cox said. "While any operating system that uses the library is affected, the
> ability to exploit the vulnerability depends on the operating system."
>
> The graphical basis for the Linux desktop, X11, uses the library, as does
> the common software foundation for the Linux-based Netscape and Galeon
> browsers.
> Many image-editing programs, which use the library for compression, also
> will be affected by the flaw.
>
> The library's functions are "used in network compression, so connecting to
> untrusted services could allow a hostile site to allocate space in a way
> that
> triggers a buffer overflow," Wreski said.
>
> "Because the vulnerability is in a library, that means that the attacker has
> to identify programs that use the library," said Dave Ahmad, threat analysis
> manager for security information company SecurityFocus. "There are also a
> bunch of applications that borrow code from the library."
>
> Weaving the code directly into another application--known as statically
> linking--means that fixing the programs is much more difficult. Where simply
> installing
> a new version of the zlib software on systems will repair the flaw in
> applications that merely access the library, any program that has borrowed
> the code
> itself will have to be patched on its own.
>
> Known as a "double-free vulnerability," the software bug causes programs
> that use the zlib compression library to behave unpredictably when a
> malicious
> program tries to free memory more than once. Most legitimate programs
> wouldn't try to repeatedly free memory except by accident, but attackers
> could use
> such a technique to attempt to force the operating system to run code
> designed to take over the computer.
>
> Originally, Clasen, a Linux user, found the problem when an image he had
> created in the open-source Portable Network Graphics, or PNG, format crashed
> a
> popular image program. When notified of the problem, Red Hat's Taylor
> discovered that the issue wasn't with the program but the library used for
> decompression.
>
> "Owen found that it was a bigger problem than was first thought," said Red
> Hat's Cox. "At that stage, we realized that there was a significant security
> hole."
>
> Red Hat worked with the Computer Emergency Response Team (CERT) Coordination
> Center at Carnegie Mellon University to disseminate information about the
> flaw
> to software companies.
>
> CERT/CC is expected to release more information Monday afternoon, but would
> not comment on the vulnerability.
>
> E-mail story
> Print story
> Send us news tips
> Also from CNET Networks
> Builder.com, the most comprehensive new software development site
> Try Computer Shopper Magazine for Free, click here!
> Search the newest job listings right now
> ZDNet Tech Update: Cut telecom costs in half
> Palm makes a colorful entrance with two new PDAs
>
>  Search
>
>
>    News.com
> Go!
>
> Latest Headlines
> display on desktop
> DoubleClick unloads e-mail list unit
> HP merger wins another endorsement
> Study: Broadband demand "strong"
> Oracle enhances hosted business apps
> Cisco disclosing more in filings
> SEC requests WorldCom documents
> Hatch asks music stores for feedback
> Compaq, Lucent look to wireless future
> HP, Compaq: Sales to guide product picks
> Financial services sector drives up Dow
> New drives rewrite HP DVD+RW line
> HP director: Big shareholders like merger
> Savoring Spam: A true story
> Behind the broadband access fight
> Broadband battle stalling, switching tack
> Sabre: Expedia beating Travelocity
> Wells Fargo latest target in scams
> Sony releases two new handhelds
> Dell drops plan to sell Unisys server
> Infineon boosts memory chip output
> This week's headlines
>
> News Tools
>
> Get news by PDA
> Get news by mobile
> Listen live to CNET Radio
>
> CNET News.com Newsletters
> Stay on top of the latest tech news.
>
> News.com Daily Dispatch
>
> News.context (weekly)
>
> Investor Daily Dispatch
> Your e-mail here
>
> Sign me up!
>
> More Newsletters
> Send us news tips |
> Contact Us |
> Corrections |
> Privacy Policy
> frontdoor/0-1
> Featured services:
> Tax software |
> Computer Shopper magazine |
> Tech jobs |
> Free newsletters |
> Popular products
>
>   CNET Networks:
> Builder |
> CNET |
> GameSpot |
> mySimon |
> TechRepublic |
> ZDNet
> About CNET
> Copyright
> )1995-2002 CNET Networks, Inc. All rights reserved.
> CNET Jobs
>
>
>
> ------------------------ Yahoo! Groups Sponsor ---------------------~-->
> Access Your PC from Anywhere
> Full setup in 2 minutes! - Free Download
> http://us.click.yahoo.com/Y8IZpD/2XkDAA/yigFAA/dpFolB/TM
> ---------------------------------------------------------------------~->
>
> To unsubscribe from this list, send a blank message with no subject heading
> or text in the body to
>
> access-uk-unsubscribe at yahoogroups.co.uk
>
>
>
> Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
>
>
>
>
>
> Gena
> ______________________________________________________________________
> Please Note:
> All html messages are automatically deleted as they are considered to be a
> security risk.
>
> Announcing Blindness Advocacy and Self-Help Online [BASHOnline]
> www.bashonline.org you can join the mailing list by sending a message to:
> bashonline-subscribe at yahoogroups.com
>
> Personal site:  www.gena-j.net
>
> Contact Info:  MSN ID: gena1959uk at hotmail.com (No mail to this address
> please) it will not be read:  ICQ ID:  144169465:
>
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>

More information about the Speakup mailing list