SecurityTracker.com Archives - (Caldera Issues Fix) 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Questions?

Want to learn about SecurityTracker? We've got answers to frequently asked questions right here

Category: Application (Generic) > Zlib

Vendors: [Multiple Authors/Vendors]

(Caldera Issues Fix) 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code

Date: Apr 5 2002

Impact: Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 1.1.3

Description: A vulnerability was reported in the zlib shared library, a widely used library that provides in-memory compress and decompression functions. A remote user could cause programs using this library to crash or to execute arbitrary code on the system.

It is reported that certain types of input will cause zlib to free the same area of memory twice (i.e., perform a "double free"), resulting in a buffer overflow condition when expanding compressed input. A remote user can cause programs that process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.

It is reported that web browsers or email programs that display image attachments or other programs that uncompress data may be particularly affected.

It is reported that Matthias Clasen <maclas@gmx.de> and Owen Taylor <otaylor@redhat.com> discovered this bug.

Impact: A remote user can cause affected programs that use zlib to process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.

Vendor URL: www.gzip.org/zlib/ (Links to External Site)

Cause: Boundary error

Underlying OS: Linux (Caldera)

Underlying OS Comments: OpenLinux Server and Workstation 3.1.1

Reported By: security@caldera.com

Message History: This archive entry is a follow-up to the message listed below.

Mar 11 2002

'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code

Source Message Contents

Date: Thu, 4 Apr 2002 16:38:11 -0800
From: security@caldera.com
Subject: Security Update: [CSSA-2002-015.0] Linux: Double free in zlib (libz) vulnerability

 

--1yeeQ81UyVL57Vl7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com

______________________________________________________________________________

		Caldera International, Inc.  Security Advisory

Subject:		Linux: Double free in zlib (libz) vulnerability
Advisory number: 	CSSA-2002-015.0
Issue date: 		2002, April 04
Cross reference:
______________________________________________________________________________


1. Problem Description

	From CERT CA-2002-07: There is a bug in the zlib compression
	library that may manifest itself as a vulnerability in programs
	that are linked with zlib. This may allow an attacker to conduct
	a denial-of-service attack, gather information, or execute
	arbitrary code.


2. Vulnerable Supported Versions

	System				Package
	----------------------------------------------------------------------

	OpenLinux 3.1.1 Server		prior to dump-0.4b22-5.i386.rpm
					prior to libz-1.1.3-12.i386.rpm
					prior to linux-source-cris-2.4.13-15S.i386.rpm
					prior to linux-source-i386-2.4.13-15S.i386.rpm
					prior to linux-source-ia64-2.4.13-15S.i386.rpm
					prior to linux-source-m68k-2.4.13-15S.i386.rpm
					prior to linux-source-mips-2.4.13-15S.i386.rpm
					prior to linux-source-parisc-2.4.13-15S.i386.rpm
					prior to linux-source-ppc-2.4.13-15S.i386.rpm
					prior to linux-source-s390-2.4.13-15S.i386.rpm
					prior to linux-source-sparc-2.4.13-15S.i386.rpm
					prior to linux-source-superH-2.4.13-15S.i386.rpm
					prior to libz-devel-1.1.3-12.i386.rpm
					prior to rpm-3.0.6-9.i386.rpm
					prior to rpm-devel-3.0.6-9.i386.rpm
					prior to rsync-2.5.0-5.i386.rpm
					prior to dump-0.4b22-5.src.rpm
					prior to libz-1.1.3-12.src.rpm
					prior to linux-2.4.13-15.src.rpm
					prior to rpm-3.0.6-9.src.rpm
					prior to rsync-2.5.0-5.src.rpm
					prior to libz-devel-static-1.1.3-12.i386.rpm
					prior to linux-kernel-binary-2.4.13-15S.i386.rpm
					prior to linux-kernel-include-2.4.13-15S.i386.rpm
					prior to linux-source-UserMode-2.4.13-15S.i386.rpm
					prior to linux-source-alpha-2.4.13-15S.i386.rpm
					prior to linux-source-arm-2.4.13-15S.i386.rpm
					prior to linux-source-common-2.4.13-15S.i386.rpm

	OpenLinux 3.1.1 Workstation	prior to dump-0.4b22-5.i386.rpm
					prior to libz-1.1.3-12.i386.rpm
					prior to libz-devel-1.1.3-12.i386.rpm
					prior to libz-devel-static-1.1.3-12.i386.rpm
					prior to linux-kernel-binary-2.4.13-15S.i386.rpm
					prior to linux-kernel-include-2.4.13-15S.i386.rpm
					prior to linux-source-UserMode-2.4.13-15S.i386.rpm
					prior to linux-source-alpha-2.4.13-15S.i386.rpm
					prior to linux-source-arm-2.4.13-15S.i386.rpm
					prior to linux-source-common-2.4.13-15S.i386.rpm
					prior to linux-source-cris-2.4.13-15S.i386.rpm
					prior to linux-source-i386-2.4.13-15S.i386.rpm
					prior to linux-source-ia64-2.4.13-15S.i386.rpm
					prior to linux-source-m68k-2.4.13-15S.i386.rpm
					prior to linux-source-mips-2.4.13-15S.i386.rpm
					prior to linux-source-parisc-2.4.13-15S.i386.rpm
					prior to linux-source-ppc-2.4.13-15S.i386.rpm
					prior to linux-source-s390-2.4.13-15S.i386.rpm
					prior to linux-source-sparc-2.4.13-15S.i386.rpm
					prior to linux-source-superH-2.4.13-15S.i386.rpm
					prior to rpm-3.0.6-9.i386.rpm
					prior to rpm-devel-3.0.6-9.i386.rpm
					prior to rsync-2.5.0-5.i386.rpm
					prior to dump-0.4b22-5.src.rpm
					prior to libz-1.1.3-12.src.rpm
					prior to linux-2.4.13-15.src.rpm
					prior to rpm-3.0.6-9.src.rpm
					prior to rsync-2.5.0-5.src.rpm


3. Solution

	The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

	4.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

	4.2 Packages

	69cd9425bd8d6463a8d7e65271b826d7	dump-0.4b22-5.i386.rpm
	f2e35b07ceb6c7d0b4b0e258892780f7	libz-1.1.3-12.i386.rpm
	56b0d76a38823ee9b6897c02ee879285	linux-source-cris-2.4.13-15S.i386.rpm
	b50863ae6ca6708ac8a3fe24dbcab091	linux-source-i386-2.4.13-15S.i386.rpm
	ce11d939e8bde711453746b27ff87bf5	linux-source-ia64-2.4.13-15S.i386.rpm
	1d3265ddab10d19e089d36f0d72fa5c9	linux-source-m68k-2.4.13-15S.i386.rpm
	931bdbd27db23c9a4093fac97400d031	linux-source-mips-2.4.13-15S.i386.rpm
	3eccb9efc9639a18dbfe4dadffc19687	linux-source-parisc-2.4.13-15S.i386.rpm
	9187ea14d95e8f2b386b9cacce45e437	linux-source-ppc-2.4.13-15S.i386.rpm
	6747fe6c69ffe4dd806b1e70c324abdb	linux-source-s390-2.4.13-15S.i386.rpm
	9b0f08824d11cfa02c3668c6d447a836	linux-source-sparc-2.4.13-15S.i386.rpm
	5bd38d7f07b96ce0d07d4f64665de0ef	linux-source-superH-2.4.13-15S.i386.rpm
	e22682ade4ebac2d7a02d3ac8653ef8f	libz-devel-1.1.3-12.i386.rpm
	7479f0409a80030bd897f9e0d1dc400d	rpm-3.0.6-9.i386.rpm
	9470b7f9e89302a9861385233265ebf9	rpm-devel-3.0.6-9.i386.rpm
	9c9f5311858606bf9e87e3d7c25093f9	rsync-2.5.0-5.i386.rpm
	82621db45e27ab47446851018a0f2d4f	libz-devel-static-1.1.3-12.i386.rpm
	a5987dd17e564007bfb3948fe2af7abf	linux-kernel-binary-2.4.13-15S.i386.rpm
	23cd4031e65b1d0a2a7747f0d28ee89d	linux-kernel-include-2.4.13-15S.i386.rpm
	0679c645b73eb3db5869e1b8c2830ffb	linux-source-UserMode-2.4.13-15S.i386.rpm
	b565e1be88e50f66591ed59ed7be2fda	linux-source-alpha-2.4.13-15S.i386.rpm
	12397356ef12cb3cd6c9502bba9c7786	linux-source-arm-2.4.13-15S.i386.rpm
	3ec69747d552234318086c3455586b9b	linux-source-common-2.4.13-15S.i386.rpm

	4.3 Installation

	rpm -Fvh libz-1.1.3-12.i386.rpm
	rpm -Fvh dump-0.4b22-5.i386.rpm
	rpm -Fvh linux-source-cris-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-i386-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-ia64-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-m68k-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-mips-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-parisc-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-ppc-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-s390-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-sparc-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-superH-2.4.13-15S.i386.rpm
	rpm -Fvh libz-devel-1.1.3-12.i386.rpm
	rpm -Fvh rpm-3.0.6-9.i386.rpm
	rpm -Fvh rpm-devel-3.0.6-9.i386.rpm
	rpm -Fvh rsync-2.5.0-5.i386.rpm
	rpm -Fvh libz-devel-static-1.1.3-12.i386.rpm
	rpm -Fvh linux-kernel-binary-2.4.13-15S.i386.rpm
	rpm -Fvh linux-kernel-include-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-UserMode-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-alpha-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-arm-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-common-2.4.13-15S.i386.rpm

	4.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

	4.5 Source Packages

	23cb4c1deb9a5253305d59796b39559e	dump-0.4b22-5.src.rpm
	01c6767ca6920892e3761d94c268677c	libz-1.1.3-12.src.rpm
	899cd9d83876602c0beb11833f89ef69	linux-2.4.13-15.src.rpm
	84985de23b84a62b05fa97b10acaf3a3	rpm-3.0.6-9.src.rpm
	51ffe946113ccc27f5125b25b408669c	rsync-2.5.0-5.src.rpm


5. OpenLinux 3.1.1 Workstation

	5.1 Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

	5.2 Packages

	69cd9425bd8d6463a8d7e65271b826d7	dump-0.4b22-5.i386.rpm
	f2e35b07ceb6c7d0b4b0e258892780f7	libz-1.1.3-12.i386.rpm
	e22682ade4ebac2d7a02d3ac8653ef8f	libz-devel-1.1.3-12.i386.rpm
	82621db45e27ab47446851018a0f2d4f	libz-devel-static-1.1.3-12.i386.rpm
	a5987dd17e564007bfb3948fe2af7abf	linux-kernel-binary-2.4.13-15S.i386.rpm
	23cd4031e65b1d0a2a7747f0d28ee89d	linux-kernel-include-2.4.13-15S.i386.rpm
	0679c645b73eb3db5869e1b8c2830ffb	linux-source-UserMode-2.4.13-15S.i386.rpm
	b565e1be88e50f66591ed59ed7be2fda	linux-source-alpha-2.4.13-15S.i386.rpm
	12397356ef12cb3cd6c9502bba9c7786	linux-source-arm-2.4.13-15S.i386.rpm
	3ec69747d552234318086c3455586b9b	linux-source-common-2.4.13-15S.i386.rpm
	56b0d76a38823ee9b6897c02ee879285	linux-source-cris-2.4.13-15S.i386.rpm
	b50863ae6ca6708ac8a3fe24dbcab091	linux-source-i386-2.4.13-15S.i386.rpm
	ce11d939e8bde711453746b27ff87bf5	linux-source-ia64-2.4.13-15S.i386.rpm
	1d3265ddab10d19e089d36f0d72fa5c9	linux-source-m68k-2.4.13-15S.i386.rpm
	931bdbd27db23c9a4093fac97400d031	linux-source-mips-2.4.13-15S.i386.rpm
	3eccb9efc9639a18dbfe4dadffc19687	linux-source-parisc-2.4.13-15S.i386.rpm
	9187ea14d95e8f2b386b9cacce45e437	linux-source-ppc-2.4.13-15S.i386.rpm
	6747fe6c69ffe4dd806b1e70c324abdb	linux-source-s390-2.4.13-15S.i386.rpm
	9b0f08824d11cfa02c3668c6d447a836	linux-source-sparc-2.4.13-15S.i386.rpm
	5bd38d7f07b96ce0d07d4f64665de0ef	linux-source-superH-2.4.13-15S.i386.rpm
	7479f0409a80030bd897f9e0d1dc400d	rpm-3.0.6-9.i386.rpm
	9470b7f9e89302a9861385233265ebf9	rpm-devel-3.0.6-9.i386.rpm
	9c9f5311858606bf9e87e3d7c25093f9	rsync-2.5.0-5.i386.rpm

	5.3 Installation

	rpm -Fvh libz-1.1.3-12.i386.rpm
	rpm -Fvh libz-devel-1.1.3-12.i386.rpm
	rpm -Fvh libz-devel-static-1.1.3-12.i386.rpm
	rpm -Fvh dump-0.4b22-5.i386.rpm
	rpm -Fvh linux-kernel-binary-2.4.13-15S.i386.rpm
	rpm -Fvh linux-kernel-include-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-UserMode-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-alpha-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-arm-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-common-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-cris-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-i386-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-ia64-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-m68k-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-mips-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-parisc-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-ppc-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-s390-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-sparc-2.4.13-15S.i386.rpm
	rpm -Fvh linux-source-superH-2.4.13-15S.i386.rpm
	rpm -Fvh rpm-3.0.6-9.i386.rpm
	rpm -Fvh rpm-devel-3.0.6-9.i386.rpm
	rpm -Fvh rsync-2.5.0-5.i386.rpm

	5.4 Source Package Location

	ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

	5.5 Source Packages

	23cb4c1deb9a5253305d59796b39559e	dump-0.4b22-5.src.rpm
	01c6767ca6920892e3761d94c268677c	libz-1.1.3-12.src.rpm
	899cd9d83876602c0beb11833f89ef69	linux-2.4.13-15.src.rpm
	84985de23b84a62b05fa97b10acaf3a3	rpm-3.0.6-9.src.rpm
	51ffe946113ccc27f5125b25b408669c	rsync-2.5.0-5.src.rpm


6. References

	Specific references for this advisory:

	        http://www.cert.org/advisories/CA-2002-07.html
		http://www.gzip.org/zlib/advisory-2002-03-11.txt


	Caldera OpenLinux security resources:
		http://www.caldera.com/support/security/index.html

	Caldera UNIX security resources:
		http://stage.caldera.com/support/security/

	This security fix closes Caldera incidents sr860749, fz520215,
	and erg711966.


7. Disclaimer

	Caldera International, Inc. is not responsible for the misuse
	of any of the information we provide on this website and/or
	through our security advisories. Our advisories are a service
	to our customers intended to promote secure installation and
	use of Caldera products.


8. Acknowledgements

	Owen Taylor announced this on February 6, 2002, after Matthias
	Clasen found an invalid PNG file that crashed zlib.

______________________________________________________________________________

--1yeeQ81UyVL57Vl7
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjys8fMACgkQbluZssSXDTEAnwCfdhN8HA0rss2e4FCrsf1y5qwr
HncAoKGlwjzpWPn9O974VFQWlCUyWYac
=B1Yp
-----END PGP SIGNATURE-----

--1yeeQ81UyVL57Vl7--

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC