[24985] in bugtraq
Re: VNC Security Bulletin - zlib double free issue (multiple vendors and versions)
daemon@ATHENA.MIT.EDU (Anthony DeRobertis)
Fri Apr 5 19:32:20 2002
Date: Fri, 5 Apr 2002 05:21:19 -0500
Content-Type: text/plain; charset=US-ASCII; format=flowed
Mime-Version: 1.0 (Apple Message framework v481)
Cc: <bugtraq@securityfocus.com>
To: "Andrew van der Stock" <ajv@greebo.net>
From: Anthony DeRobertis <asd@suespammers.org>
In-Reply-To: <001201c1dc79$d6d52150$0100a8c0@BUBBLES>
Message-Id: <DEA38DBA-487E-11D6-908D-00039355CFA6@suespammers.org>
Content-Transfer-Encoding: 7bit
On Friday, April 5, 2002, at 03:13 AM, Andrew van der Stock wrote:
> Apple's statement is: "Mac OS X and Mac OS X Server do not contain this
> vulnerability." Does MacOS X and MacOS X Server even have a
> copy of zlib
> (ie libz.so) by default? Or is down to the FreeBSD malloc / free
> behavior of MacOS X? Hard to say - not a lot of information to go on.
I'm pretty sure it's the FreeBSD behavior that protects it because:
Mac OS X includes libz:
/System/Library/Frameworks/JavaVM.framework/Versions/1.3.1/Libraries/libzip.
jnilib
/usr/lib/libz.1.1.3.dylib
/usr/lib/libz.1.dylib
/usr/lib/libz.dylib
The following program does not crash, and indeed produces
the warning messages that FreeBSD describes it should:
#include <stdlib.h>
int main() {
void *ptr;
int x;
for (x = 0; x < 10000; ++x) {
ptr = malloc(123456);
free(ptr);
free(ptr);
}
return 0;
}
It produces these warnings:
*** malloc[27202]: Deallocation of a pointer not malloced:
0x84000; This could be a double free(), or free() called with
the middle of an allocated block; Try setting environment
variable MallocHelp to see tools to help debug
(many, many times)
