Linked by Andrew Youll on Thu 7th Jul 2005 16:44 UTC
Privacy, Security, Encryption A serious security flaw has been identified in Zlib, a widely used data compression library. Fixes have begun to appear, but a large number of programs could be affected.
Order by: Score:
v Failure
by Anonymous on Thu 7th Jul 2005 17:08 UTC
v RE: Failure
by Anonymous on Thu 7th Jul 2005 17:12 UTC in reply to "Failure"
v re: Failure
by Anonymous on Thu 7th Jul 2005 17:11 UTC
v RE: Failure
by Anonymous on Thu 7th Jul 2005 17:13 UTC
Got it
by Anonymous on Thu 7th Jul 2005 17:14 UTC
Anonymous
Member since:
---

Updating my suse system, just before I browsed. I found the zlib updates, and applied them! Then I browsed to read about the security hole ;)

Long live OSS, MS takes what months to fix their shit

Reply Score: 0

RE: Got it
by Thom_Holwerda on Thu 7th Jul 2005 17:27 UTC in reply to "Got it"
Thom_Holwerda Member since:
2005-06-29

Mmm, the YOU on my SuSE 9.3 doesn't show any updates at all.. Where did you get it from? What version of SuSE are you running?

Reply Score: 5

Been awhile...
by Anonymous on Thu 7th Jul 2005 17:14 UTC
Anonymous
Member since:
---

This hasn't happened since the MAndrake 8.x days. I remember having to update almost the entire system, because so much depends on zlib. This should be fun on Gentoo. I guess it is time to emerge sync.

Reply Score: 0

jt
by Anonymous on Thu 7th Jul 2005 17:18 UTC
Anonymous
Member since:
---

not to troll...

since we have discussed before the pros/cons of ways to handle packages with some distros rolling everything into one package, i think gobo linux and pc-bsd or something....

And as was mentioned before instead of one hole in your operating system you would have numerous occurances. Here is one shining example...is it not?

Reply Score: 1

RE: jt
by hobgoblin on Thu 7th Jul 2005 18:26 UTC in reply to "jt"
hobgoblin Member since:
2005-07-06

most likely your refering to pc-bsd as gobolinux still have the libs seperated from the apps. ie, update ones and you get them all. as long as the update dont break one of them.

still, if that happens you can keep the lib around for those few and as they are updated they will no longer use the old one. so eventualy you can remove it.

Reply Score: 1

v re: Failure
by Anonymous on Thu 7th Jul 2005 17:19 UTC
Ubuntu Fix
by archiesteel on Thu 7th Jul 2005 17:23 UTC
archiesteel
Member since:
2005-07-02

I actually learned about the vulnerability when I saw that there was a updated zlib package for Ubuntu.

I have to say I'm quite pleased with the speed of updates on this distro.

To the anonymous troll: do you view security flaws in Windows as a failure of the closed-source software model?

Reply Score: 5

FreeBSD
by Buck on Thu 7th Jul 2005 17:23 UTC
Buck
Member since:
2005-06-29

If I get it right, FreeBSD had it fixed for about a month already.

Reply Score: 1

Ah... no
by Buck on Thu 7th Jul 2005 17:24 UTC
Buck
Member since:
2005-06-29

Ah no, that was for gzip problem.

Reply Score: 1

early warning
by netpython on Thu 7th Jul 2005 17:25 UTC
netpython
Member since:
2005-07-06

Makes it again obvious how important early warning and the means of updating is.

Reply Score: 1

v RE: Ubuntu Fix
by Anonymous on Thu 7th Jul 2005 17:26 UTC
RE[2]: Ubuntu Fix
by Anonymous on Thu 7th Jul 2005 17:30 UTC in reply to "RE: Ubuntu Fix"
Anonymous Member since:
---

Including the security flaws that aren't contained in open source software? I can't make sense of that argument, could you please help me understand?

CaptainN

Reply Score: 0

v RE[3]: Ubuntu Fix
by Clinton on Thu 7th Jul 2005 20:33 UTC in reply to "RE[2]: Ubuntu Fix"
@ Thom_Holwerda
by Anonymous on Thu 7th Jul 2005 17:29 UTC
Anonymous
Member since:
---

YHBT.

Reply Score: 0

v RE[3]: Ubuntu Fix
by Anonymous on Thu 7th Jul 2005 17:34 UTC
Zlib...
by ma_d on Thu 7th Jul 2005 17:35 UTC
ma_d
Member since:
2005-06-29

I don't think there's been a month of my linux-using life yet where zlib hasn't had a vulnerability....

Seriously, this library just seems to be ridden with security and/or stability issues.

RedHat seems to replace it constantly.

Reply Score: 1

RE: Zlib...
by Latem on Thu 7th Jul 2005 17:58 UTC in reply to "Zlib..."
Latem Member since:
2005-07-06

Huh, where are you getting this info? I just searched through Mandriva and Suse security advisories, and there are only 2 zlib security advisories within the last 2+ (almost 3) years...

I really don't think this is that big of a deal. Pretty much all major Linux distributions had a fix within 24-48 hours after the discovery. And it certainly is painless to update this. As they explain in the article, pretty much everything uses this as a shared library. One update to fix most of the affected software.

Reply Score: 1

re (IP: 66.98.198.---)
by Anonymous on Thu 7th Jul 2005 17:42 UTC
Anonymous
Member since:
---

first - i make a montion to ban (IP: 66.98.198.---)

second - software is written by humans, therefore fallible.... security comes into question when something is discovered and not fixed, shall we bet who has it fixed first. And should we bet who will KNOW they have it fixed the open source systems that have to update one library or the closed-source systems that have it rolled into a bunch of different programs? Do they know what all programs have it, what about third party closed-source programs that use it? How will M$ update some program you downloaded from the web that happens to use the library...they WONT!

open source has reqponded to the threat and due to better design it will be a simple fix, M$ on the other hand....go figure...

can I second the motion as well... ;)

Reply Score: 2

RE: re (IP: 66.98.198.---)
by haugland on Fri 8th Jul 2005 09:10 UTC in reply to "re (IP: 66.98.198.---)"
haugland Member since:
2005-07-07

I agree, that software is fallible. But software can be a lot better if the programmers focus on quality. Both open and closed software has its share of ignorant/lazy coders and quality can be good or bad for both open and closed software.

Libraries used in so much software ought to be better. And the lack of quality control is as much a responsibility of the programmers that use the library as the programmers that make the library.

Regarding fixes: The really important aspect is how easy it is for the user to fix the problem. And for some distros this is easyer than for Windows, and for some it is not. But this is somthing open source is getting much better at IMO.

Reply Score: 1

RE[2]: re (IP: 66.98.198.---)
by BigZaphod on Fri 8th Jul 2005 15:59 UTC in reply to "RE: re (IP: 66.98.198.---)"
BigZaphod Member since:
2005-07-06

What do you mean a lack of quality control? If there was a total lack, this hole wouldn't even be known and yet here it is announced having been fixed!

I don't understand how so many people can jump all over developers every time a *fix* to a venerability is released. Where does the unreasonable expectation that all software be released in a perfect state come from?

No products are ever perfect when they are released and many classes of products can take generations to get right. Using the classic car example, consider how much safer and longer-lasting automobiles have become over the years as they refine their processes? Does anyone seriously think that the first Model-T should have rolled off the line looking and feeling like a modern-day compact that can do 200,000 miles in its lifetime and is outfitted with airbags, anti-lock breaks, crumple zones, and an alarm system? That's just plain unreasonable.

Any new piece of software that does something different is somewhat akin to a new line of car. Every new software author is similar to a new and upcoming auto manufacturer. Each product (car, software, candy, etc) always has its own shares of quirks which can take a long time to iron out and each time a new manufacturer or developer enters the scene, they have a lot of things to learn about getting up to speed with what they are doing, what the common practices are, and how to generally do business.

There will be mistakes. Some developers are still learning the tricks of the trade and some software is maturing and settling in to its niche where finally the quirks are becoming understood. Don't ever let anyone fool you into thinking that the "professional" software developers are somehow more prepared than the amateurs in this regard - after all, it seems the only thing that separates a professional from an amateur is wether or not they get paid for it. Most highly active open source authors are professional programmers or system administrators during the day. When they go home and release something they've created on their own time they suddenly become listed as an amateur and when there's a bug it is clearly the fault of inexperience and/or ineptitude? That makes no sense.

Reply Score: 1

Re: Got it
by Anonymous on Thu 7th Jul 2005 17:44 UTC
Anonymous
Member since:
---

Well, I am on Suse 9.2. I am using gwdg as a source. So, it may not be really official

Reply Score: 0

v uh
by Anonymous on Thu 7th Jul 2005 17:47 UTC
v re (IP: 66.98.198.---)
by Anonymous on Thu 7th Jul 2005 17:49 UTC
v RE: re (IP: 66.98.198.---)
by Anonymous on Thu 7th Jul 2005 18:10 UTC in reply to "re (IP: 66.98.198.---)"
v RE: uh
by Anonymous on Thu 7th Jul 2005 17:53 UTC
Zlib Source
by facerw on Thu 7th Jul 2005 18:08 UTC
facerw
Member since:
2005-07-07

Anybody hear when the source code is released? I have about half a dozen linux/unix and solaris boxes to upgrade.

Reply Score: 1

RE: Zlib Source
by Anonymous on Fri 8th Jul 2005 13:56 UTC in reply to "Zlib Source"
Anonymous Member since:
---

Anybody hear when the source code is released?

Here's the patch from Gentoo Linux's CVS repository:

http://www.gentoo.org/cgi-bin/viewcvs.cgi/*checkout*/sys-libs/zlib/...

Reply Score: 0

Quickly fixed
by Brian on Thu 7th Jul 2005 18:14 UTC
Brian
Member since:
2005-06-29

Hadn't read this story, but I noticed it was fixed on my Ubuntu desktop machine and Debian server when I checked for updates a couple of hours ago. Certainly fast work, a good example of how free software folks can get their act together when it's something this critical. Still got a FreeBSD machine to do tomorrow when I get around to it, but the advisory is already on their website as well.

Now I just need to wait for Apple, who will hopefully have an update available tomorrow morning.

Reply Score: 1

vanilla patch?
by Anonymous on Thu 7th Jul 2005 18:24 UTC
Anonymous
Member since:
---

The article says:

"Mark Adler [a Zlib co-author] responded to my report with a patch"

Does anyone know where the zlib team has posted the patch at?

Reply Score: 0

RE: vanilla patch?
by LiNuCe on Fri 8th Jul 2005 00:59 UTC in reply to "vanilla patch?"
LiNuCe Member since:
2005-07-07

I don't know if the ZLib team posted a patch, but you can use the patch [1] included in the Debian source package [2] which fixes this security issue. It seems that the only file concerned is inftrees.c. This is the patch I used to fix zlib-1.2.2 on Slackware Linux 10.1.

[1] http://www.debian.org/security/2005/dsa-740
[2] http://linuce.free.fr/zlib-1.2.2-inftrees.c.diff

Reply Score: 2

Score 1 for FOSS...
by Anonymous on Thu 7th Jul 2005 18:27 UTC
Anonymous
Member since:
---

Hmmmm... The update found by an OSS team auditing the source code. They make a fix in a couple of minutes, then pass it on to the original author, who double checks everything and in less than a day they've got a verified patch that's picked up by major distributors and disseminated. Since only the library needs to be replaced, it's a small fix.

Meanwhile, MS is "looking into it". Since zlib is statically linked into many of their executables, I suspect the "looking" involves decising whether or not it's worth the hassle of fixing now or waiting to see if they can roll it into the next service pack.

Reply Score: 1

v RE: re (IP: 66.98.198.---)
by Anonymous on Thu 7th Jul 2005 18:34 UTC
v RE[2]: re (IP: 66.98.198.---)
by Anonymous on Thu 7th Jul 2005 18:46 UTC in reply to "RE: re (IP: 66.98.198.---)"
v RE[2]: re (IP: 66.98.198.---)
by Latem on Thu 7th Jul 2005 18:54 UTC in reply to "RE: re (IP: 66.98.198.---)"
Enough with the comparsons to MS
by TaterSalad on Thu 7th Jul 2005 18:38 UTC
TaterSalad
Member since:
2005-07-06

Ok, this is getting rediculous. Zlib has a flaw and it gets patched. One small little program. This is a 3rd party library that linux distros include. It's not created from the linux kernel hackers or distro makers themselves. So how does the speed this is being patched compare to Microsoft releasing patches for a whole operating system instead of one small program? It doesn't at all. You are comparing a 3rd party to the vendor. Apples and oranges.

Reply Score: 2

Clinton Member since:
2005-07-05

It is relevant because Microsoft uses Zlib too.

The Linux, BSD, etc. guys are already patched (or at least have a patch available), but Microsoft can't do that so they are "looking into it". This means that your Windows box(es) are still vulnerable to the flaw while the OSS systems out there are not.

That's why the comparison is far from "rediculous"

Reply Score: 3

v Re: 66.98.198.
by rm6990 on Thu 7th Jul 2005 18:52 UTC
MS comparisons relevant
by Anonymous on Thu 7th Jul 2005 19:03 UTC
Anonymous
Member since:
---

> So how does the speed this is being patched compare
> to Microsoft releasing patches for a whole
> operating system instead of one small program?

a) statically linking is lame unless it's in a kernel or rescue app, mmmmk?
b) if it affects MS products, a patch should come fast
c) most every other vendor using zlib has responded
d) microsoft keeps shouting "WE ARE MORE SECURE" from rooftop

For reference, I run Gentoo Linux.

scylla# ls -l /lib/libz*2
-rwxr-xr-x 1 root root 69768 Jul 6 11:12 /lib/libz.so.1.2.2

That's right, the date says yesterday @ 11:12am.

Every second that there isn't patching for MS' products is another strike against them.

Reply Score: 1

v Re : 66.98.198
by rm6990 on Thu 7th Jul 2005 19:05 UTC
v RE: Re : 66.98.198
by Anonymous on Thu 7th Jul 2005 19:11 UTC in reply to "Re : 66.98.198"
v RE[3]: re (IP: 66.98.198.---)
by Anonymous on Thu 7th Jul 2005 19:10 UTC
v Apache rules.
by Anonymous on Thu 7th Jul 2005 19:19 UTC
RE: Apache rules.
by Anonymous on Thu 7th Jul 2005 19:24 UTC
Anonymous
Member since:
---

s/Apache/Windows/
s/Red Hat/Microsoft/

Reply Score: 0

Lost in the Flame War
by Anonymous on Thu 7th Jul 2005 19:34 UTC
Anonymous
Member since:
---

What is being lost in all the comparisons with MS is that this vulnerability was discovered by Tavis Ormandy of the Gentoo Linux Security Audit Team. For those who don't understand: He was performing a security audit of the code - something that very few vendors do of their own stuff, even when they charge an arm and a leg for their crapware.

Reply Score: 0

RE: Lost in the Flame War
by Celerate on Fri 8th Jul 2005 07:16 UTC in reply to "Lost in the Flame War"
Celerate Member since:
2005-06-29

"For those who don't understand: He was performing a security audit of the code - something that very few vendors do of their own stuff, even when they charge an arm and a leg for their crapware."

What so many people don't realize is that programming isn't as simple as the "baking a cake" analogy they are often presented with, that is by far an over simplification. Programming is more comparable to advanced math in my opinion, you need to do research, problem solve, design the program, write it, test it to see if it works, and finally fix any bugs you find. If you do happen to find a bug, you have to filter through all the code to find out where its happening, then you have to figure out why its happening and finally you have to figure out how to make it work. It can take an eternity to make sure code doesn't have bugs, and developers can't make money if they don't release their software eventually.

Programming languages aren't pseudocode, a lot of people think of writing a program in terms of the way a human mind would work: people can read instructions off a piece of paper and follow them despite grammar errors, mispelled words, incorrect words, and of course people can compensate for errors in the instructions. Programming isn't like that, you don't get to think in terms of how things work in your brain any more, you have to think in terms of what the compiler can translate instead, and even when something compiles that only means the compiler hasn't found any of the common errors in the code that is was programmed to recognize, not in the way the program would work. Trust me, writing a program isn't as simple as what you've seen on TV or in person, you can't get a grasp of what's going on inside the developer's head when you're only watching them work, just because a developer knows what to type doesn't mean its always easy.

Of course you know by now that I am going by the assumption that you haven't any prior experience with programming, please don't be insulted if this isn't the case as the assumption was simply so I wouldn't write anything too complicated if my assumption turned out to be correct.

My point is basically that people don't know or appreciate how complicated programming can get. I get really irritated when people believe what they see in movies, where some "hollywood hacker" sits at a computer, glances at someone's code for a minute or two, and then points out and fixes all the bugs in it. Why does it irritate me? The simple answer is because so many people believe that its really that easy. Writing software isn't really so easy that any Joe Sixpack off the street can learn it in 24 hours, or in 7 days; learning how to program is actually gradual, and with languages like C++ it will usually take at least two years to get a good grasp of the language. Finding bugs gets even harder than writing the program, and that's because most bugs aren't obvious, may never be found for years, and are usually discovered by accident because they didn't show up in tests. Please keep that in mind before you assume that because software has bugs in it, the developer didn't audit it enough.

Reply Score: 2

v RE: Lost in the Flame War
by Anonymous on Thu 7th Jul 2005 19:45 UTC
FC4 fix available
by Anonymous on Thu 7th Jul 2005 19:53 UTC
Anonymous
Member since:
---

FC4 has the fix available I just ran "yum update" and it's taken care of :-)

Unfortunately I don't think debian sarge is going to be able to jump quickly on this one with their current security issues :-(

Reply Score: 0

RE: FC4 fix available
by facerw on Thu 7th Jul 2005 20:18 UTC in reply to "FC4 fix available"
facerw Member since:
2005-07-07

Actually debian sarge has the fix. Debian woody doesn't.

Reply Score: 1

RE[2]: FC4 fix available
by cm__ on Thu 7th Jul 2005 21:27 UTC in reply to "RE: FC4 fix available"
cm__ Member since:
2005-07-07

> Actually debian sarge has the fix.

Yeah, that's been a pleasant surprise. Things seem to be back to normal with Debian security.

Reply Score: 1

v RE: Lost in the Flame War
by Anonymous on Thu 7th Jul 2005 19:53 UTC
v RE: Lost in the Flame War
by Anonymous on Thu 7th Jul 2005 19:58 UTC
RE[2]: Failure
by Shannara on Thu 7th Jul 2005 20:08 UTC
Shannara
Member since:
2005-07-06

I have agree, but it's just not open source, but the whole source (close, open, etc) together. So I wouldnt single out open source model as a failar at all. I put a plus 1 for your comment since a troll gave you -5.

Reply Score: 1

Open-source vs. closed-source quality
by fretinator on Thu 7th Jul 2005 20:29 UTC
fretinator
Member since:
2005-07-06

I work primarily as a closed-sourced developer, and I can attest, after seeing MANY thousands of lines closed-source code, that open source code is normally of a much higher quality. It is simply amazing to me the number of $1,000,000 projects that consist of code with no real coding standards - poor indentation, poorly-named variables, etc. When I look at the code to open-source programs I have to compile, I see none of this.

Reply Score: 5

sappyvcv Member since:
2005-07-06

That has little to nothing to do with the code being open or closed source. It's simply the people that worked on it. Open/closed source is a LICENSE, not a methodology for the style to write code.

Reply Score: 1

LiNuCe Member since:
2005-07-07

> Open/closed source is a LICENSE, not a methodology for the style to write code.

You are right. However when you write open source code, you know by definition that you potentially expose it to public developers, among whom there are competent people. Sometimes they are even more competent than you, so you tend to write it as clean as you can. Obviously, it does not mean your code is not error-prone. By the way, "as clean as you can" is quite subjective and does not always mean "clean" ;)

Reply Score: 2

Site Owners
by rm6990 on Thu 7th Jul 2005 20:44 UTC
rm6990
Member since:
2005-07-04

I believe you should implement a new feature in OSNews 3.1.

There should be a ban person button under each comment. People using anonymizer.com or not logged in should not be able to use this. It should only allow one click per IP address per post. If more than 30 people click to ban someone from the site in a certain time period, their ip address should be completely blocked access. I don't think we should have to wade through some of the posts being put on this forum, espescially people who are subscribers (I'll admit I'm not, and never will be until this problem is fixed).

Even if people don't end up getting banned, it will keep them in-line.

Reply Score: 1

v RE: Site Owners
by Anonymous on Thu 7th Jul 2005 20:48 UTC
Remote takeover exploits with Windows
by Anonymous on Thu 7th Jul 2005 21:42 UTC
Anonymous
Member since:
---

If you load up a new WinXP install and go to Windows Update and load all the updates, count how many of them involve resolving problems which otherwise could have lead to a remote system compromise. <tin foil hat conspiracy time> There's tons of them. I wonder if they're really bugs at all or just publically discovered backdoors.</tin foil hat>

Thank god modern Linux distros don't suffer from all these remote compromise holes.

Reply Score: 0

Gentoo Security of course ;)
by Anonymous on Fri 8th Jul 2005 00:14 UTC
Anonymous
Member since:
---

Of course it was the security team of the best distro around that found the flaw ;)

Reply Score: 1

v RE: Summary
by Anonymous on Fri 8th Jul 2005 06:14 UTC in reply to "Summary"
v duh
by Anonymous on Fri 8th Jul 2005 06:10 UTC
Bugs and vulnerabilities
by Amanda on Fri 8th Jul 2005 18:26 UTC
Amanda
Member since:
2005-07-06

I think there is a difference between bugs and vulnerabilities...

Bugs are those problems of a software that affect users, either something is malfunctioning or displaying unexpected behaviour, during the software's expected usage.

Vulnerabilities are usually those potential holes of a software where malicious people can write speicific code attacking such holes to achieve their specific purpose.

Compared to bugs that can be prevented or removed through extensive testing from programmers and users, vulnerabilities are usually more difficult to be detected. This is not only because the fact that most programmers are not malicious people ;D , but also because people usually have a set of assumptions and don't usually foresee problems that may have if these assumptions have not been met.

It's like, bakers have to make sure the bread they bake is safe to eat, delicious and good-looking. But it's just difficult for them to foresee (or do anything) to stop malicious people from adding in poisons to the bread intentionally to kill someone.

If the world is so perfect, London's police and intelligence departments could have stopped Bin Laden's bombers before anything happens. As always, things can be improved, but even god is so powerful, there are still chances where devil comes in and mess things up. So, please do not blame the programmers (either Microsoft's or not) for not being as thoughtful as Bin Laden...

However, the zlib example demonstrates how bugs and vulnerabilities of commonly used shared libraries can pose widespread and serious risks... the world will need discussions on how better methodologies or procedures can be implemented to eliminate such risks if things do go wrong.

Reply Score: 1

saxiyn:
by AdamW on Fri 8th Jul 2005 19:39 UTC
AdamW
Member since:
2005-07-06

and Mandriva MDKSA-2005:112, dated July 6th like the others. I think there was some sort of collaboration between Linux vendors on releasing a fix simultaneously (that's my guess, not fact...)

Reply Score: 1

RE[3]: re (IP: 66.98.198.---)
by haugland on Mon 11th Jul 2005 11:09 UTC
haugland
Member since:
2005-07-07

Obviously there is quality control. But maybe it should have taken place before release. A lot of programmers have used the library before sufficient quality control.

No products are ever perfect -- I agree on that. But a library which is designed to be used by many different applications should be of a better quality than the average software. The OpenBSD team have shown the way!

Not all programs need to be designed with security in mind. But many do.

I am not blaming the programmers who created the library. But if programmers use libraries without doing anything to assess the quality, they should be aware of the risks. So you have to either trust the team that made the library, check if anyone else have controlled the software, or check it yourself (or live with the uncertainty).

Reply Score: 1