Today I received this security announcements.
If you think, it is not necessary to forward this message to the list,
please tell me.
The zlib compression library is being used by many applications to
provide data compression/decompression routines. An error in a
decompression routine can corrupt the internal data structures of
malloc by a double call to the free() function. If the data
processed
by the compression library is provided from an untrusted source, it
may be possible for an attacker to interfere with the process using
the
zlib routines. The attack scenario includes a denial of service
attack
and memory/data disclosure, but it may also be possible to insert
arbitrary code into the running program and to execute this code.
This update fixes the known problems in the libz/zlib as a permanent
fix. There exists no temporary workaround that can efficiently
remedy
the problem.
It is expected that a large range of software is affected. The
systems
affected are by no means limited to Linux systems or other
open-source
based operating systems.
Note:
The libz compression library is being used by several hundred
packages
in all SuSE products. While the update of the libz package as itself
is
not problematic, it must be noted that many packages bring their own
compression library in their source code. If these packages link
against
their own version of the libz compression library, their source
needs
to be fixed as well.
The packages affected by the double-free() libz bug can be devided
into
two categories:
1) packages that link dynamically against the system-provided
compression library. These packages get fixed automatically
with
the update of the libz package as described in
SuSE-SA:2002:010.
Please note that the processes will continue to use the old
version of the libz.so shared library if the have not been
restarted after the libz package upgrade.
2) packages that contain the compression library in their own
source distribution. These packages need an individual
bugfix.
We have prepared update packages for this software that can
be
downloaded from the locations as shown below.
The following is a list of the packages in category 2):
gpg
rsync
cvs
rrdtool
freeamp
netscape
vnc
kernel
In detail:
gpg:
gpg brings its own libz/zlib source. The fixed update
packages
are available on the ftp server. The packages for SuSE Linux
6.4 and 7.0 are located on ftp.suse.de, all other packages
can
be found on ftp.suse.com.
The package for SuSE Linux 7.3, Intel i386 platform, is
currently building and will be available shortly.
rsync:
The rsync package brings its own libz/zlib source. In
addition
to the libz/zlib fixes, the rsync package has a number of
other
security related problems fixed: The rsync daemon now
properly
initializes group memberships when it changes to another
userID.
The last security fix in the rsync packages has been
corrected
to improve the reliability of the program.
The fixed update packages are available on the ftp server.
cvs:
The cvs package brings its own libz/zlib source. In addition
to the libz/zlib fixes, the cvs packages in SuSE Linux 6.4
and
7.0 contain a fix for a buffer overflow that may be remotely
exploitable. Versions of the cvs packages later than 7.0 do
not
contain this flaw.
rrdtool:
SuSE Linux 7.2 and newer contain the package rrdtool. It
brings
its own source of the libz/zlib compression library. Fixed
packages are available for download on the ftp server.
freeamp:
The freeamp package brings its own libz/zlib source. Fixed
packages for SuSE Linux 7.1 and 7.0 are available for
download.
The update packages for the newer distributions will follow
soon without any further announcement.
netscape:
New netscape binary packages are expected from netscape.com
soon.
Due to the closed source nature of the software, we depend
on
netscape to fix the package.
vnc:
The vnc package brings its own libz/zlib source. We will
provide
fixed packages for our supported products shortly. The
availiability of these packages will be announced in section
2)
of the next SuSE Security Announcement.
kernel:
The kernel of Linux systems is affected by the libz/zlib
double-
free() problem as well. The routines from the compression
library
are being used by functions that uncompress filesystems
loaded
into ramdisks and other non-security-critical occasions.
However,
the kernel uses the compression library in the ppp layer as
well
as in the freeswan IPSec kernel module.
We are currently in the process of preparing update packages
that
fix numerous other problems (some of them security related)
in
both the 2.2 and the 2.4 series kernel. The availiability of
these
kernel RPM packages will be announced in a seperate SuSE
Security
Announcement soon.
--
Manfred Schuler
E_Mail: mailto:[EMAIL PROTECTED]
_______________________________________________
Leaf-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-devel
