Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 5 Dec 2016 08:15:09 +0100
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>,
	cve-assign@...re.org
Subject: CVE Request: zlib security issues found during audit

Hi,

Mozilla has asked Trail of Bits / TrustInSoft to audit zlib 
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib

which had some findings (1 medium, 4 low):

https://wiki.mozilla.org/images/0/09/Zlib-report.pdf

extracting from the referenced document:

https://docs.google.com/document/d/10i1KZS5so8xDqH2rplRa2xet0tyTvvJlLbQQmZIUIKE/edit

zlib SOS Fund Audit Fix Log
Identified Issues

Finding 1: Incompatible declarations for external linkage function deflate (Medium)
Fix: https://github.com/madler/zlib/commit/3fb251b363866417122fe54a158a1ac5a7837101
VERIFIED


Finding 2: Accessing a buffer of char via a pointer to unsigned int (Low)
Mark Adler (zlib): [This] will remain as is. Yes, speed matters a great deal. The comment in
the report: "In the longer term, platform specific micro-optimizations should be deprecated.
These optimizations may no longer be necessary: modern compilers are much better at
optimizing and vectorizing code than they used to be." does not apply. This is not a
micro-optimization, and unless the compiler has the intelligence and creativity of a good
mathematician well-versed in discrete mathematics, can detect the application of Galois
Fields in the code, know somehow to postulate a theorem for an equivalent calculation over
GF(2) that will, in the end, improve the speed, prove that theorem, and then generate on its
own the additional tables to apply that theorem, then no, there is no way that a compiler is
coming up with that one.
UNRESOLVED:This issue remains under discussion to determine whether there is a way
which removes the mismatched pointer without affecting performance.


Finding 3: Out-of-bounds pointer arithmetic in inftrees.c (Low)
Fix: https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
     https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb
VERIFIED

Finding 4: Undefined left shift of negative number (Low)
Fix: https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958
(This was already fixed on the development branch before being discovered.)
VERIFIED

Finding 5: Big-endian out-of-bounds pointer (Low)
Fix: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811
VERIFIED

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.