The particular bug is a duplicate call to free() with the same pointer, and
the problem is an issue primarily on Linux because many (most?)
distributions utilize a memory manager that skips certain safety checks in
exchange for speed. I haven't closely examined the particular use of the
library in Squeak, but it may be that we don't even call the offending
function.

The "potential root exploit" for this "glitch" (to use the official happy
friendly Microsoft term for "gaping security hole") is hard to imagine if
the program being attacked does not run as root.  Even then it is more
likely that one can cause a program to crash with a carefully formed
compressed packet - so it's more of a "denial of service" type of exploit
through damage to the heap.  Most root exploits are of the "buffer overflow"
type, which allow you to place code on the stack by exceeding the size of a
local array.

-- Duane

----- Original Message -----
From: "John Hinsley" <johnhinsley at blueyonder.co.uk>
To: <squeak-dev at lists.squeakfoundation.org>
Sent: Monday, March 18, 2002 10:39 AM
Subject: Re: Zlib security heads up


> On Mon, 18 Mar 2002, Marcus Denker wrote:
> > On Fri, Mar 15, 2002 at 11:25:52PM +0000, John Hinsley wrote:
> > > Zlib is the OpenSource compression library used in (at least) Linux,
BDS and
> > > Windows.
> > >
> > > A bug has been discovered which potentially leaves a system open to
root
> > > exploits.
> > >
> > The unix VM seems to contains the zlib sources. But it is only used
> > for decompressing compressed images).
>
> Well, it doesn't do much more in *nix (or Windows) generally. After all,
Zlib
> is "just" everyone's favourite compression library. I can't see many
people
> relying on Squeak as a way in, but anything linking to an unpatched Zlib
is
> potentially hazardous/at risk.
>
> We're talking here of a kind of exploit that's extremely difficult to do,
the
> first time. Then the knowledge gets posted to the web and every script
kiddy
> can do it. Suddenly there are a lot of strange chmods going on, your
Apache is
> hosting a Korean porn site and your Sendmail is posting vbs worms to all
and
> sundry. Eeek!
>
> More generally, if Alan Cox tells me it's urgent, it means "fit the damn
patch
> _now_!"
>
> Cheers
>
> John
>  --
> They're afraid, very afraid......
> According to CRN magazine, Microsoft staff discovering Linux in use
> will have now access to a special 'escalation' team.
> Now, where did I put that stake and mallet?
> http://www.newsforge.com/article.pl?sid=02/01/16/0310222&mode=nocomment
>
>