“The software bug–known as a buffer overflow–caused key memory-management functions in the zlib compression library to fail, a condition that could allow a smart attacker to compromise Linux computers over the Internet, said Dave Wreski, director for open-source security company Guardian Digital”. Read the rest of the report at News.com.
Flaw Leaves Linux Computers Vulnerable
Submitted by David Yuckert 2002-03-11 Privacy, Security 13 Comments
“Linux Computers” seems like a pretty vague term for the audience here.
There’s nothing wrong with Linux — there’s a security vulnerability in zlib, which, as the article mentions, is used in many operating systems and applications.
quake3 being a good example of a program that uses the zlib
zlib is present in ANY os in a form or another…
Less FUD please
It’s apparently a bug in conjunction with how linux handles malloc. Therefore it’s a linux bug and not one in [Open/Free]BSD/others.
>>zlib is present in ANY os in a form or another… Less FUD please<<
>>”Linux Computers” seems like a pretty vague term for the audience here. There’s nothing wrong with Linux — there’s a security vulnerability in zlib, which, as the article mentions, is used in many operating systems and applications.<<
Jeez, THIS is why a lot of people hate Linux. These are classical typical responses ANYTIME ANYBODY suggests a thought that sheds a less than positive light on Linux.
Guest what people: LINUX IS NOT PERFECT. I know you’ll never sleep the same again, but thats just the way shit happens, you’ll have to get over it.
Quit prickpicking the termonoloy, the FACT is any OS, INCLUDING LINUX DISTOs are going to have security flaws in them – – – its really no big deal. Now that somebody pointed it out, one of the many Stallman lackeys will fix it (in record time, I’m sure).
Any of you Linux freakers getting ready to explain to world VIA this post, why the article is FUD/FALSE etc., Let me do you the favor and sum up ALL of your posts in one quick little phrase:
Because THAT is all you people ever have to say about ANY Linux problem. Such denial is not healthy.
The actual problem is calling free() on an already free()’d block of memory. glibc doesn’t check for this by default whereas the other OS’s that use zlib do. Therefore, it’s a bug in zlib that is triggered because of a design decision in glibc. It only affects linux systems because they’re the only ones using glibc (probably affects HURD too).
If you want this behavior, you can get it easily on Linux/glibc. From the malloc(3) manual page:
Recent versions of Linux libc (later than 5.4.23) and GNU libc (2.x) include a malloc implementation which is tunable via environment variables. When MALLOC_CHECK_ is set, a special (less efficient) implementation is used which is designed to be tolerant against simple errors, such as double calls of free() with the same argument, or overruns of a single byte (off-by-one bugs). Not all such errors can be proteced against, however, and memory leaks can result. If MALLOC_CHECK_ is set to 0, any detected heap corruption is silently ignored; if set to 1, a diagnostic is printed on stderr; if set to 2, abort() is called immediately. This can be useful because otherwise a crash may happen much later, and the true cause for the problem is then very hard to track down.
go and install it
“The library’s functions are “used in network compression, so connecting to untrusted services could allow a hostile site to allocate space in a way that triggers a buffer overflow,” Wreski said.”
This doesn’t help the mythology that only Microsoft has security problems and nobody else.
> This doesn’t help the mythology that only Microsoft has
> security problems and nobody else.
The difference is that MS flaws are usually found by independent auditors, whereas GNU/Linux problems are usually found by the community itself. This zlib problem, for example, was found by Red Hat developers. Since GNU/Linux is GPL, they released their findings like they should. When MS finds a problem, they don’t tell anyone. Users must trust that MS has found and fixed all the problems they could when in reality there is a good chance that MS have deliberately chosen not to fix some problems for one reason or other (e.g. to meet a release deadline).
What does this mean? Firstly, if you can’t see the code, you can’t trust the vendor 100%. Secondly, it lends to the myth that GNU/Linux has more bugs than proprietary (e.g. MS) products. All GNU/Linux bugs are fully disclosed to the community as a whole, whereas MS can hide the existance of bugs through their ownership of the code.
“This doesn’t help the mythology that only Microsoft has security problems and nobody else.”
I don’t think there is a myth that claims Linux is flawless. The FACT is that Linux is more secure than Windows and that when a defect is found, everyone is immediately notified, a patch or update is released, everyone installs the update and we’re all happy again.
This really isn’t anything like the Linux thing mentioned in this article, but it is interesting and just goes to show that everyone makes mistakes with C.
If you want to see something really cool, type:
printf( ” ” );
Into MS Visual Studio, compile it, then run it and watch your machine blue screen or just die completely. All you’re doing here is tabbing twice and backspacing 6 times over and over again.
You might think that because this is an infinite loop that it’s not a big deal that the machine crashes, but actually if you add some text before the tabs ( ) in your printf statement you’ll notice that the printf statement only runs once before crashing the machine.
Try doing other infinite loops (like replacing the ‘s and ’s with your name) and you’ll see that they don’t crash the machine and you are able to CTRL+C out of them.
Hey, I’m glad they found it! And they alredy posted a fix! Now that’s hot! Why are people complaining?
Tell me ONE time that M$ had done the same for a little bug for theur OS? N E V E R!
Instead they say: All your base are belong to us!
Scroll down this huge list and you will also find that microsoft uses zlib.
Officially Linux is just the kernel. But the whole OS is commonly referred to as Linux. Who really cares?