Discovering copies of zlib

zlib is a very widely used compression library with occasional security problems. This document describes how to identify program binaries which include statically linked copies of zlib, and thus may need a security update.

• How does fingerprinting work?
• Generic zlib fingerprints
• Generic inflate decompressor fingerprints
• Signatures for the CAN-2005-2096 and CAN-2005-1849 vulnerabilities
• ClamAV signature databases
• Acknowledgments

How does fingerprinting work?

The zlib program code contains several data tables whose bit patterns are characteristic for the library. The contents of one of these tables is deliberately changed for each new version by the zlib maintainer. As a result, these bit patterns can be used to locate likely statically linked copies of zlib (including the version number) in program binaries, even if copyright notices have been removed.

These bit patterns are based on data constant, not machine code sequences. As a result, at most two signatures instances are needed per bit pattern (for big-endian and little-endian machines), and not one signature for each architecture and compiler combination.

The fingerprint databases published here use the free antivirus scannner ClamAV. Note that this does not imply that zlib is a virus or some other kind of malware. ClamAV is just the right tool to scan a large number of files for a long list of patterns.

There is an older tool called find-zlib which performs a similar task (which I wrote when previous zlib vulnerabilities were disclosed). This program continues to work for new zlib versions, as long as the copyright strings have not been altered or removed. However, it is much slower than ClamAV.

Generic zlib fingerprints

These fingerprints cover all released zlib versions. The signature names have the following format:

ZLIB.zlib-0.92
ZLIB.zlib-0.93-1.0.4
ZLIB.zlib-1.1.5f-n
[some signature names have been omitted]
ZLIB.zlib-1.2.2.3

All names begin with the string "ZLIB.". If a signature does not uniquely identify a particular zlib version, a range of version numbers is given in the signature name. In some cases, there might be two patterns for a single zlib version, a big-endian version (".BE" suffix) and a little-endian version (".LE" suffix). Currently, there are no such signatures.

Generic inflate decompressor fingerprints

These patterns are even more generic than the zlib patterns above. They match most inflate decompressor implementations, even if they are not based on the zlib source code. As a result, they are not very useful for identifying zlib versions, but they might be useful for other purposes.

The following signatures are available:

INFLATE.CPLENS.16BE
INFLATE.CPLENS.16LE
INFLATE.CPLENS.32BE
INFLATE.CPLENS.32LE

These patterns are based on a central table (which was called cplens in older zlib versions). Four different versions are provided, for different endianess and data type widths.

Signatures for the CAN-2005-2096 and CAN-2005-1849 vulnerabilities

These signatures are a subset of the generic zlib signatures. They only detect versions which, when unpatched, are affected by the CAN-2005-2096 and CAN-2005-1849 vulnerabilities. These signatures cannot detect the presence of a patch, so a match does not necessarily imply a vulnerability. They are intended to obtain a list of candidate program binaries which have to be examined further.

The signature names are the same as for the generic zlib signatures, but the "ZLIB." prefix has been replaced with the string "CAN-2005-2096.". There is only a single set of signatures because the affected versions for CAN-2005-2096 and CAN-2005-1849 are the same.

Besides the official releases which are vulnerable (1.2.1 and 1.2.2), the signatures also cover the 1.2.0 beta versions.

A list of Debian packages matching the CAN-2005-2096 signatures has been posted to the debian-security mailing list. The packages listed there may also be affected by CAN-2005-1849. Whether another update is needed depends on how CAN-2005-2096 was addressed.

ClamAV signature databases

The following ClamAV signature databases are available:

• ClamAV signatures for generic zlib detection

• ClamAV signatures for detecting inflate decompressors

• ClamAV signatures for zlib version affected by CAN-2005-2096 and CAN-2005-1849

The generic zlib signatures cover versions up to and including 1.2.3. Changes to this file will be announced on the security-announce mailing list.

For example, you can use the zlib.db database in the following way:

$ clamscan -d zlib.db -i -r /usr/bin

Add the --deb option to the clamscan invocation if you want to scan uninstalled Debian packages (for example, the Debian package pool).

Acknowledgments

Many thanks to Mark Adler, who kindly provided data from which the ClamAV signature files were generated. Without his proactive steps to add unique fingerprints to each released zlib version, discovering potentially vulnerable copies of zlib would be much harder.

Revisions

• 2005-07-12: published

• 2005-07-12: The generic zlib signatures are actually endian-independent. The superfluous signaturs have been removed from the database files.

• 2005-07-14: Link to the CAN-2005-2096 results for Debian added.

• 2005-07-21: Explain the CAN-2005-1849 situation, the existing ClamAV signatures can be reused to discover potentially vulnerable zlib versions.

• 2005-07-24: The generic zlib signatures were updated for version 1.2.3 of the library.

Florian Weimer
Home Blog (DE) Blog (EN) Impressum RSS Feeds