(Slackware Issues Fix) 'zlib' Shared Compression Library Contains 'Double Free()' Buffer Overflow That Lets Remote Users Cause Programs Using zlib to Crash or Execute Arbitrary Code
|
Date: Mar 12 2002
|
Impact: Denial of service via network, Execution of arbitrary code via local system, Execution of arbitrary code via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.1.3
|
Description: A vulnerability was reported in the zlib shared library, a widely used library that provides in-memory compress and decompression
functions. A remote user could cause programs using this library to crash or to execute arbitrary code on the system.
It is reported that certain types of input will cause zlib to free the same area of memory twice (i.e., perform a "double free"),
resulting in a buffer overflow condition when expanding compressed input. A remote user can cause programs that process untrusted
user-supplied compressed input to crash or potentially execute arbitrary code on the system.
It is reported that web browsers
or email programs that display image attachments or other programs that uncompress data may be particularly affected.
It is reported
that Matthias Clasen <maclas@gmx.de> and Owen Taylor <otaylor@redhat.com> discovered this bug.
|
Impact: A remote user can cause affected programs that use zlib to process untrusted user-supplied compressed input to crash or potentially execute arbitrary code on the system.
|
Solution: The vendor has released a fix and urges that users upgrade the zlib package immediately.
Updated zlib package for Slackware 7.1:
ftp://ftp.slackware.com/pub/slackware/
slackware-7.1/patches/packages/zlib.tgz
Updated zlib package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/zlib.tgz
Updat
ed zlib package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/zlib-1.1.4/packages/zlib-1.1.4-i386-1.tgz
Here
is the md5sum for the package:
Slackware 7.1:
8371e3ea1d8d0f624edc43ede13e82dd zlib.tgz
Slackware 8.0:
7e5187be97632b446c214cf62fc94fff
zlib.tgz
Slackware -current:
5d9968475642c822ae11cce8c5504ece zlib-1.1.4-i386-1.tgz
To install, as root, upgrade to the
new zlib.tgz package:
# upgradepkg zlib.tgz
Afterwards, restart any running programs that link to libz.so.
|
Vendor URL: www.gzip.org/zlib/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Slackware)
|
Reported By: Slackware Security Team <security@slackware.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 11 Mar 2002 14:12:40 -0800 (PST)
From: Slackware Security Team <security@slackware.com>
Subject: [slackware-security] zlib upgrade fixes vulnerability
|
New zlib packages are available to fix a security problem which may impact
programs that link with zlib.
Here's the information from the Slackware 8.0 ChangeLog:
----------------------------
Mon Mar 11 13:32:40 PST 2002
patches/packages/zlib.tgz: Upgraded to zlib-1.1.4. This fixes a security
problem which may introduce vulnerabilities into any program that links with
zlib. Quoting the advisory on zlib.org:
"Depending upon how and where the zlib routines are called from the given
program, the resulting vulnerability may have one or more of the following
impacts: denial of service, information leakage, or execution of arbitrary
code."
Sites are urged to upgrade the zlib package immediately.
The complete advisory may be found here:
http://www.zlib.org/advisory-2002-03-11.txt
(* Security fix *)
----------------------------
WHERE TO FIND THE NEW PACKAGE:
------------------------------
Updated zlib package for Slackware 7.1:
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/zlib.tgz
Updated zlib package for Slackware 8.0:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/packages/zlib.tgz
Updated zlib package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/zlib-1.1.4/packages/zlib-1.1.4-i386-1.tgz
MD5 SIGNATURE:
--------------
Here is the md5sum for the package:
Slackware 7.1:
8371e3ea1d8d0f624edc43ede13e82dd zlib.tgz
Slackware 8.0:
7e5187be97632b446c214cf62fc94fff zlib.tgz
Slackware -current:
5d9968475642c822ae11cce8c5504ece zlib-1.1.4-i386-1.tgz
INSTALLATION INSTRUCTIONS:
--------------------------
As root, upgrade to the new zlib.tgz package:
# upgradepkg zlib.tgz
Afterwards, restart any running programs that link to libz.so.
Remember, it's also a good idea to backup configuration files before
upgrading packages.
- Slackware Linux Security Team
http://www.slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
|
|
