Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Possible security problem in CPAN modules / CVE-2018-25032

by cavac (Priest)
on Mar 31, 2022 at 11:19 UTC ( #11142570=perlnews: print w/replies, xml ) Need Help??

Dear fellow Perl developers,

zlib, the compression library (also known as libz, deflate, compress on various systems) has a major flaw. While the bug is 17 years old, it only got attention in the last few days and weeks.

It even has a backdated CVE, because the bug was discovered years ago, but not fixed: CVE-2018-25032

See also: https://zlib.net/

It is known that this can cause at least denial-of-service attacks, but RCE (remote code execution) is not entirely out of the cards to my knowledge.

I have done a casual grep through my local CPAN mirror (yay for local mirrors!), which has given me a list of potentially vulnerable modules. There are over 90 of them. Yes, there are probably a few false negatives and a few false positive, as i didn't have time to go over each distribution in detail.

Please check your CPAN distributions for any use of zlib.c, libz.c, deflate.c, compress.c and similar variants and update as necessary. If at all possible, i would also recommend to switch to either the zlib provided by the operating system or at least coordinate with other CPAN authors to reduce the number of static copies of the zlib libraries spread all over CPAN modules.

The basic problem with distributing your own copy of a library like that is simple: Instead of it getting automatically updated with security fixes by the operating system or distribution vendor, it is up to YOU to track the library and provide security updates for your CPAN distributions. And you have to get the users to somehow not only update the operating system, you also have to get them to update their installed perl modules. While providing your own copies of C libraries is convenient, provides safety against incompatibilities with locally installed libraries and so on, in case of a security problem this can place a lot of extra burdens on the end user of your code. They suddenly have to go through every installed perl module, plus all the other non-perl programs to make their system secure again.

Perl isn't the only software environment that has this problem. Many other things also maintain local copies of these kinds of "simple but essential" libraries in their source code control. The list of potentially vulnerable programs is quite impressive. So far, i've seen mention (but have not confirmed it myself) of Chromium, Firefox, ImageMagick, Gimp, VLC, the Linux kernel among quite a few other programs. This stems from the fact the zlib/the deflate algorithm is used in, for example, the HTTP protocol and PNG image files.

Because the number of modules NOT using the zlib library installed with the operating system but instead using a static/local copy of the C-Files, a security problem like this (or worse) can take a long time to fix. It is up to all of us to work together and reduce the number of copies of potentially vulnerable code.

Thanks in advance for your help in solving this security problem.

Sincerely,

Rene "cavac" Schickbauer

perl -e 'use Crypt::Digest::SHA256 qw[sha256_hex]; print substr(sha256_hex("the Answer To Life, The Universe And Everything"), 6, 2), "\n";'

Replies are listed 'Best First'.
Re: Possible security problem in CPAN modules / CVE-2018-25032
by hexcoder (Deacon) on Apr 05, 2022 at 08:11 UTC
    Thanks!
    Quotes (emphasis by me)
    zlib, the compression library (also known as libz, deflate, compress on various systems) has a major flaw.
    It even has a backdated CVE, because the bug was discovered years ago, but not fixed:
    To clarify: the latest zlib version 1.2.12 as of March 27th 2022 is fixed according to https://zlib.net/.
Re: Possible security problem in CPAN modules / CVE-2018-25032
by larryl (Monk) on Apr 01, 2022 at 15:29 UTC

    Hi Rene -

    Re.:

    I have done a casual grep through my local CPAN mirror (yay for local mirrors!), which has given me a list of potentially vulnerable modules.

    Could you share what patterns you were grepping for?

    Thanks! Larry

      Basically, i grepped for zlib.c and deflate.c (and i think libz.c as well). As i said, my check was very simplistic. It didn't start as "which packages have a problem", but more along the lines of "let's estimate the size of the problem".

      I was limited on time i could spend on this. As best as i could, i tried compiling a list of maintainers email adresses and send them a mail, then posted this thread on PM. After that, i had to go back to my regularly scheduled slavery.

      perl -e 'use Crypt::Digest::SHA256 qw[sha256_hex]; print substr(sha256_hex("the Answer To Life, The Universe And Everything"), 6, 2), "\n";'

      I believe this is all of them though maybe the string I looked for needs tweaking

      https://grep.metacpan.org/search?q=exclude+worst+case+performance+for+pathological+files&qd=&qft=&qls=on

      You can also look for the files if you checkout the repo grep.metacpan.org uses. At which point you get:

      $>git ls-files |egrep '(in|de)flate\.c' A/Alien-FreeImage/src/Source/ZLib/deflate.c A/Alien-FreeImage/src/Source/ZLib/inflate.c A/Archive-Unzip-Burst/unzip-6.0/inflate.c B/BackupPC-XS/zlib/deflate.c B/BackupPC-XS/zlib/inflate.c B/Business-KontoCheck/zlib/deflate.c B/Business-KontoCheck/zlib/inflate.c C/Compress-Raw-Zlib/zlib-src/deflate.c C/Compress-Raw-Zlib/zlib-src/inflate.c C/Compress-Zopfli/zopflib/src/zopfli/deflate.c F/Filter-gunzip/devel/exe-zlib-inflate.c G/Git-Raw/deps/libgit2/deps/zlib/deflate.c G/Git-Raw/deps/libgit2/deps/zlib/inflate.c G/Git-XS/xs/libgit2/deps/zlib/deflate.c G/Git-XS/xs/libgit2/deps/zlib/inflate.c I/Image-PNG-Simple/zlib-1.2.8/deflate.c I/Image-PNG-Simple/zlib-1.2.8/inflate.c L/LibZip/myldr/zlib-src/deflate.c L/LibZip/myldr/zlib-src/inflate.c P/PDL-IO-Matlab/matio-1.5.0/src/inflate.c P/Protocol-WebSocket-Fast/clib/tests/deflate/deflate.cc T/Tk/PNG/zlib/deflate.c T/Tk/PNG/zlib/inflate.c W/Win32-File-Summary/deflate.c W/Win32-File-Summary/inflate.c c/cppAdaptive1/src/dlib/external/zlib/deflate.c c/cppAdaptive1/src/dlib/external/zlib/inflate.c c/cppAdaptive2/src/dlib/external/zlib/deflate.c c/cppAdaptive2/src/dlib/external/zlib/inflate.c p/perl/cpan/Compress-Raw-Zlib/zlib-src/deflate.c p/perl/cpan/Compress-Raw-Zlib/zlib-src/inflate.c

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlnews [id://11142570]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (3)
As of 2022-09-25 21:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    I prefer my indexes to start at:




    Results (116 votes). Check out past polls.

    Notices?