{"vuid":"VU#368819","idnumber":"368819","name":"Double Free Bug in zlib Compression Library Corrupts malloc's Internal Data Structures","keywords":["zlib","compression library","DoS","denial of service","invalid PNG image","double free memory"],"overview":"There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code. It is important to note that the CERT/CC has not received any reports of exploitation of this bug. Based on the information available to us at this time, it is difficult to determine whether this bug can be successfully exploited. However, given the widespread deployment of zlib, we have published this document as a proactive measure.","clean_desc":"There is a bug in the decompression algorithm used by the popular zlib compression library. If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data can cause the zlib routines to corrupt the internal data structures maintained by malloc. The bug results from a programming error that causes segments of dynamically allocated memory to be released more than once (i.e., \"double-freed\"). Specifically, when inftrees.c:huft_build() encounters the crafted data, it returns an unexpected Z_MEM_ERROR to inftrees.c:inflate_trees_dynamic(). When a subsequent call is made to infblock.c:inflate_blocks(), the inflate_blocks function tries to free an internal data structure a second time. Because this bug interferes with the proper allocation and deallocation of dynamic memory, it may be possible for an attacker to influence the operation of programs that include zlib. In most circumstances, this influence will be limited to denial of service or information leakage, but it is theoretically possible for an attacker to insert arbitrary code into a running program. This code would be executed with the permissions of the vulnerable program.","impact":"This bug may introduce vulnerabilities into any program that includes the affected library. Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code.","resolution":"Upgrade your version of zlib The maintainers of zlib have released version 1.1.4 to address this vulnerability. Any software that is linked to or derived from an earlier version of zlib should be upgraded immediately. The latest version of zlib is available at http://www.zlib.org. These are the MD5 checksums for zlib version 1.1.4: abc405d0bdd3ee22782d7aa20e440f08 zlib-1.1.4.tar.gz\n9bf1d36ced334b0cf1f996f5c8171018 zlib114.zip The maintainers of zlib have published an advisory regarding this issue; for further information, please see http://www.gzip.org/zlib/advisory-2002-03-11.txt Apply a patch from your vendor The zlib compression library is freely available and used by many vendors in a wide variety of applications. Any one of these applications may contain vulnerabilities that are introduced by this vulnerability. For the most recent information available to the CERT/CC, please see the vendor section of this document.","workarounds":"","sysaffected":"","thanks":"The CERT/CC thanks Owen Taylor and Mark Cox of Red Hat, Inc. for reporting this vulnerability. We also thank Mark Adler of zlib.org for contributing to our research and Matthias Clasen for contributing to the discovery of this vulnerability.","author":"This document was written by Jeffrey P. Lanza.","public":["http://bugzilla.gnome.org/show_bug.cgi?id=70594","http://www.gzip.org/zlib/advisory-2002-03-11.txt","http://www.libpng.org/pub/png/pngapps.html","http://www.redhat.com/support/errata/RHSA-2002-026.html","http://www.securityfocus.com/bid/4267","http://securitytracker.com/alerts/2002/Mar/1003783.html","http://xforce.iss.net/xforce/xfdb/8427","http://www.ciac.org/ciac/bulletins/m-062.shtml"],"cveids":["CVE-2002-0059"],"certadvisory":"CA-2002-07","uscerttechnicalalert":null,"datecreated":"2002-02-07T19:55:08Z","publicdate":"2002-03-11T00:00:00Z","datefirstpublished":"2002-03-11T20:01:44Z","dateupdated":"2005-07-08T13:33:04Z","revision":62,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"5","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"20","cam_impact":"19","cam_easeofexploitation":"10","cam_attackeraccessrequired":"20","cam_scorecurrent":"21.375","cam_scorecurrentwidelyknown":"42.75","cam_scorecurrentwidelyknownexploited":"71.25","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":21.375,"vulnote":null}