Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Andrew Tait]

When woody finally is stable, and you run apt-get upgrade, you should get
suspicious when it says there are 150 packages to be upgraded and its going
to download 250 MB to do it :-)

You will probably know woody is out before hand, and should be expecting it.

Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: [EMAIL PROTECTED]
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874

"It's the smell! If there is such a thing." Agent Smith - The Matrix

- Original Message -
From: "David Hart" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, March 14, 2002 11:09 AM
Subject: Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer
overflow


> On Thu, Mar 14, 2002 at 09:29:46AM +1100, Andrew Tait wrote:
>
> > Otherwise the Apt::Default-Release line in apt.conf has no effect.
>
> Thank you, I see.  What happens, though, when woody becomes stable (and
> you're tracking stable).  Does this mean that an 'apt-get upgrade' is
> going to pull in all the woody stuff?  On a 'stable' server I'd like to
> be in control of when a major upgrade takes place.  (I'm rather new to
> Debian so please forgive me if I'm missing something obvious.)
>
> --
> David Hart
> [EMAIL PROTECTED]
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Andrew Tait]

When woody finally is stable, and you run apt-get upgrade, you should get
suspicious when it says there are 150 packages to be upgraded and its going
to download 250 MB to do it :-)

You will probably know woody is out before hand, and should be expecting it.

Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: [EMAIL PROTECTED]
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874

"It's the smell! If there is such a thing." Agent Smith - The Matrix

- Original Message -
From: "David Hart" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 14, 2002 11:09 AM
Subject: Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer
overflow


> On Thu, Mar 14, 2002 at 09:29:46AM +1100, Andrew Tait wrote:
>
> > Otherwise the Apt::Default-Release line in apt.conf has no effect.
>
> Thank you, I see.  What happens, though, when woody becomes stable (and
> you're tracking stable).  Does this mean that an 'apt-get upgrade' is
> going to pull in all the woody stuff?  On a 'stable' server I'd like to
> be in control of when a major upgrade takes place.  (I'm rather new to
> Debian so please forgive me if I'm missing something obvious.)
>
> --
> David Hart
> [EMAIL PROTECTED]
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[David Hart]

On Thu, Mar 14, 2002 at 09:29:46AM +1100, Andrew Tait wrote:

> Otherwise the Apt::Default-Release line in apt.conf has no effect.

Thank you, I see.  What happens, though, when woody becomes stable (and
you're tracking stable).  Does this mean that an 'apt-get upgrade' is
going to pull in all the woody stuff?  On a 'stable' server I'd like to
be in control of when a major upgrade takes place.  (I'm rather new to
Debian so please forgive me if I'm missing something obvious.)

-- 
David Hart
[EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[David Hart]

On Thu, Mar 14, 2002 at 09:29:46AM +1100, Andrew Tait wrote:

> Otherwise the Apt::Default-Release line in apt.conf has no effect.

Thank you, I see.  What happens, though, when woody becomes stable (and
you're tracking stable).  Does this mean that an 'apt-get upgrade' is
going to pull in all the woody stuff?  On a 'stable' server I'd like to
be in control of when a major upgrade takes place.  (I'm rather new to
Debian so please forgive me if I'm missing something obvious.)

-- 
David Hart
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Andrew Tait]

Otherwise the Apt::Default-Release line in apt.conf has no effect.

Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: [EMAIL PROTECTED]
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874

"It's the smell! If there is such a thing." Agent Smith - The Matrix

- Original Message -
From: "David Hart" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, March 13, 2002 12:47 PM
Subject: Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer
overflow


> On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote:
>
> > Update your sources.list to have both stable and testing (and make sure
you
> > called them that, not potato/woody),
>
> Why should they be named potato/woody rather than stable/testing?
>
> --
> David Hart
> [EMAIL PROTECTED]
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Andrew Tait]

Otherwise the Apt::Default-Release line in apt.conf has no effect.

Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: [EMAIL PROTECTED]
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874

"It's the smell! If there is such a thing." Agent Smith - The Matrix

- Original Message -
From: "David Hart" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, March 13, 2002 12:47 PM
Subject: Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer
overflow


> On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote:
>
> > Update your sources.list to have both stable and testing (and make sure
you
> > called them that, not potato/woody),
>
> Why should they be named potato/woody rather than stable/testing?
>
> --
> David Hart
> [EMAIL PROTECTED]
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Petro]

On Wed, Mar 13, 2002 at 10:36:15AM +, David Hart wrote:
> On Wed, Mar 13, 2002 at 01:47:57AM +, David Hart wrote:
> Duh, sorry.  As someone else has kindly pointed out,
> 'potato/woody'/'stable/testing' should be transposed :)  (I really
> shouldn't post at 1:45 in the morning)

Why? Haven't had your 10th cup of coffee yet? 

-- 
Share and Enjoy. 

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Petro]

On Wed, Mar 13, 2002 at 10:36:15AM +, David Hart wrote:
> On Wed, Mar 13, 2002 at 01:47:57AM +, David Hart wrote:
> Duh, sorry.  As someone else has kindly pointed out,
> 'potato/woody'/'stable/testing' should be transposed :)  (I really
> shouldn't post at 1:45 in the morning)

Why? Haven't had your 10th cup of coffee yet? 

-- 
Share and Enjoy. 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[David Hart]

On Wed, Mar 13, 2002 at 01:47:57AM +, David Hart wrote:

> On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote:
> 
> > Update your sources.list to have both stable and testing (and make sure you
> > called them that, not potato/woody),
> 
> Why should they be named potato/woody rather than stable/testing?
    ^^
Duh, sorry.  As someone else has kindly pointed out,
'potato/woody'/'stable/testing' should be transposed :)  (I really
shouldn't post at 1:45 in the morning)

-- 
David Hart
[EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[David Hart]

On Wed, Mar 13, 2002 at 01:47:57AM +, David Hart wrote:

> On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote:
> 
> > Update your sources.list to have both stable and testing (and make sure you
> > called them that, not potato/woody),
> 
> Why should they be named potato/woody rather than stable/testing?
    ^^
Duh, sorry.  As someone else has kindly pointed out,
'potato/woody'/'stable/testing' should be transposed :)  (I really
shouldn't post at 1:45 in the morning)

-- 
David Hart
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[David Hart]

On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote:

> Update your sources.list to have both stable and testing (and make sure you
> called them that, not potato/woody),

Why should they be named potato/woody rather than stable/testing?

-- 
David Hart
[EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[David Hart]

On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote:

> Update your sources.list to have both stable and testing (and make sure you
> called them that, not potato/woody),

Why should they be named potato/woody rather than stable/testing?

-- 
David Hart
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Chuck Peters]

On Tue, 12 Mar 2002, Zephaniah E. Hull wrote:

> On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote:
> > Unless your are going to dial into a malicious ISP, I doubt this will be a
> > problem (AFAIK, but don't quote me).
>
> Or unless you happen to be a small ISP using pppd on the receiving end
> and have malicious users?

That is what I am concerned about.  We are a freenet with about 1000
active users.  Depending on your viewpoint, unfortunatley one of the other
volunteers upgraded dialup server to 2.4 kernel with the bunk packages in
an attempt to improve the problematic equinox SST and upgrade the eqnx
module.  We are moving to an acend max within a couple of months, but a
real exploit to our current pppd problem is likely to available before
then.

Our non-profit board of directors recently decided to allow a user back on
that stole one of our machines over 2 years ago and has continued to be a
pain in the ass.  If a script kiddie exploit becomes available, he just
might do some serious damage.

Unless someone has some other suggestions, I'll try the hyrid potato/woody
suggested by Andrew Tait sometime this weekend.


Thanks,
Chuck

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Jean-Francois Dive]

this depend on how the packager choosed to build the package: with static
or dynamic library. 

The only missing packages on the list i reckon are the kernel images.

JeF

On Tue, Mar 12, 2002 at 12:15:49PM +0200, Dmitry Borodaenko wrote:
> On Mon, Mar 11, 2002 at 09:42:39PM +0100, Michael Stone wrote:
> > The zlib vulnerability is fixed in the Debian zlib package version
> > 1.1.3-5.1. A number of programs either link statically to zlib or include
> > a private copy of zlib code. These programs must also be upgraded
> > to eliminate the zlib vulnerability. The affected packages and fixed
> > versions follow:
> >   amaya 2.4-1potato1
> >   dictd 1.4.9-9potato1
> >   erlang 49.1-10.1
> >   freeamp 2.0.6-2.1
> >   mirrordir 0.10.48-2.1
> >   ppp 2.3.11-1.5
> >   rsync 2.3.2-1.6
> >   vrweb 1.5-5.1
> 
> For comparison, here is a list of packages reported to be affected by
> the zlib vulnerability in ALT Linux Sisyphus (fixed src.rpms listed):
> 
> XFree86-4.2.0-alt2.src.rpm
> XFree86-compat-3.3.6-ipl23mdk.src.rpm
> freeswan-1.95-alt3.src.rpm
> iptables-1.2.5-alt1.src.rpm
> kernel-headers-common-1.0-alt1.src.rpm
> kernel22-2.2.21-alt3.p4.src.rpm
> kernel24-2.4.18-alt2.src.rpm
> kernel24-2.4.7-alt3.src.rpm
> libpopt-1.7-alt2.src.rpm
> mkinitrd-2.7.1-alt6.1.src.rpm
> mktemp-1.4-alt1.src.rpm
> modutils-2.4.12-alt1.src.rpm
> pngcrush-1.5.8-alt2.src.rpm
> rpm-3.0.6-ipl29.2mdk.src.rpm
> rsync-2.5.3-alt2.src.rpm
> vnc-3.3.3r2-alt2.src.rpm
> zlib-1.1.3-ipl15mdk.src.rpm
> 
> As you can see, there are packages fixed in Sisyphus that are not
> mentioned in Debian announcement. Does this mean that Debian
> counterparts were not affected in the first place, or that they were
> overlooked?
> 
> -- 
> Dmitry Borodaenko
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
-> Jean-Francois Dive
--> [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Zephaniah E. Hull]

On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote:
> Unless your are going to dial into a malicious ISP, I doubt this will be a
> problem (AFAIK, but don't quote me).

Or unless you happen to be a small ISP using pppd on the receiving end
and have malicious users?

Zephaniah E. Hull.

-- 
1024D/E65A7801 Zephaniah E. Hull <[EMAIL PROTECTED]>
   92ED 94E4 B1E6 3624 226D  5727 4453 008B E65A 7801
CCs of replies from mailing lists are requested.

* Culus thinks we should go to trade shows and see how many people we
  can kill by throwing debian cds at them


pgpGAoAKi935a.pgp
Description: PGP signature

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Dmitry Borodaenko]

On Mon, Mar 11, 2002 at 09:42:39PM +0100, Michael Stone wrote:
> The zlib vulnerability is fixed in the Debian zlib package version
> 1.1.3-5.1. A number of programs either link statically to zlib or include
> a private copy of zlib code. These programs must also be upgraded
> to eliminate the zlib vulnerability. The affected packages and fixed
> versions follow:
>   amaya 2.4-1potato1
>   dictd 1.4.9-9potato1
>   erlang 49.1-10.1
>   freeamp 2.0.6-2.1
>   mirrordir 0.10.48-2.1
>   ppp 2.3.11-1.5
>   rsync 2.3.2-1.6
>   vrweb 1.5-5.1

For comparison, here is a list of packages reported to be affected by
the zlib vulnerability in ALT Linux Sisyphus (fixed src.rpms listed):

XFree86-4.2.0-alt2.src.rpm
XFree86-compat-3.3.6-ipl23mdk.src.rpm
freeswan-1.95-alt3.src.rpm
iptables-1.2.5-alt1.src.rpm
kernel-headers-common-1.0-alt1.src.rpm
kernel22-2.2.21-alt3.p4.src.rpm
kernel24-2.4.18-alt2.src.rpm
kernel24-2.4.7-alt3.src.rpm
libpopt-1.7-alt2.src.rpm
mkinitrd-2.7.1-alt6.1.src.rpm
mktemp-1.4-alt1.src.rpm
modutils-2.4.12-alt1.src.rpm
pngcrush-1.5.8-alt2.src.rpm
rpm-3.0.6-ipl29.2mdk.src.rpm
rsync-2.5.3-alt2.src.rpm
vnc-3.3.3r2-alt2.src.rpm
zlib-1.1.3-ipl15mdk.src.rpm

As you can see, there are packages fixed in Sisyphus that are not
mentioned in Debian announcement. Does this mean that Debian
counterparts were not affected in the first place, or that they were
overlooked?

-- 
Dmitry Borodaenko

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Jean-Francois Dive]

this depend on how the packager choosed to build the package: with static
or dynamic library. 

The only missing packages on the list i reckon are the kernel images.

JeF

On Tue, Mar 12, 2002 at 12:15:49PM +0200, Dmitry Borodaenko wrote:
> On Mon, Mar 11, 2002 at 09:42:39PM +0100, Michael Stone wrote:
> > The zlib vulnerability is fixed in the Debian zlib package version
> > 1.1.3-5.1. A number of programs either link statically to zlib or include
> > a private copy of zlib code. These programs must also be upgraded
> > to eliminate the zlib vulnerability. The affected packages and fixed
> > versions follow:
> >   amaya 2.4-1potato1
> >   dictd 1.4.9-9potato1
> >   erlang 49.1-10.1
> >   freeamp 2.0.6-2.1
> >   mirrordir 0.10.48-2.1
> >   ppp 2.3.11-1.5
> >   rsync 2.3.2-1.6
> >   vrweb 1.5-5.1
> 
> For comparison, here is a list of packages reported to be affected by
> the zlib vulnerability in ALT Linux Sisyphus (fixed src.rpms listed):
> 
> XFree86-4.2.0-alt2.src.rpm
> XFree86-compat-3.3.6-ipl23mdk.src.rpm
> freeswan-1.95-alt3.src.rpm
> iptables-1.2.5-alt1.src.rpm
> kernel-headers-common-1.0-alt1.src.rpm
> kernel22-2.2.21-alt3.p4.src.rpm
> kernel24-2.4.18-alt2.src.rpm
> kernel24-2.4.7-alt3.src.rpm
> libpopt-1.7-alt2.src.rpm
> mkinitrd-2.7.1-alt6.1.src.rpm
> mktemp-1.4-alt1.src.rpm
> modutils-2.4.12-alt1.src.rpm
> pngcrush-1.5.8-alt2.src.rpm
> rpm-3.0.6-ipl29.2mdk.src.rpm
> rsync-2.5.3-alt2.src.rpm
> vnc-3.3.3r2-alt2.src.rpm
> zlib-1.1.3-ipl15mdk.src.rpm
> 
> As you can see, there are packages fixed in Sisyphus that are not
> mentioned in Debian announcement. Does this mean that Debian
> counterparts were not affected in the first place, or that they were
> overlooked?
> 
> -- 
> Dmitry Borodaenko
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 
-> Jean-Francois Dive
--> [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Florian Weimer]

Jor-el <[EMAIL PROTECTED]> writes:
>
>   Doesnt dpkg also compile with a static zlib? Why does it not make
> this list?

At least on unstable, it does.

/usr/bin/dpkg-deb: zlib configuration table, little endian, 32 bit
/usr/bin/dpkg-deb: zlib inflate table, little endian

(Tool is available at .)

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  +49-711-685-5973/fax +49-711-685-5898

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Zephaniah E\. Hull]

On Tue, Mar 12, 2002 at 05:46:13PM +1100, Andrew Tait wrote:
> Unless your are going to dial into a malicious ISP, I doubt this will be a
> problem (AFAIK, but don't quote me).

Or unless you happen to be a small ISP using pppd on the receiving end
and have malicious users?

Zephaniah E. Hull.

-- 
1024D/E65A7801 Zephaniah E. Hull <[EMAIL PROTECTED]>
   92ED 94E4 B1E6 3624 226D  5727 4453 008B E65A 7801
CCs of replies from mailing lists are requested.

* Culus thinks we should go to trade shows and see how many people we
  can kill by throwing debian cds at them



msg05949/pgp0.pgp
Description: PGP signature

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Dmitry Borodaenko]

On Mon, Mar 11, 2002 at 09:42:39PM +0100, Michael Stone wrote:
> The zlib vulnerability is fixed in the Debian zlib package version
> 1.1.3-5.1. A number of programs either link statically to zlib or include
> a private copy of zlib code. These programs must also be upgraded
> to eliminate the zlib vulnerability. The affected packages and fixed
> versions follow:
>   amaya 2.4-1potato1
>   dictd 1.4.9-9potato1
>   erlang 49.1-10.1
>   freeamp 2.0.6-2.1
>   mirrordir 0.10.48-2.1
>   ppp 2.3.11-1.5
>   rsync 2.3.2-1.6
>   vrweb 1.5-5.1

For comparison, here is a list of packages reported to be affected by
the zlib vulnerability in ALT Linux Sisyphus (fixed src.rpms listed):

XFree86-4.2.0-alt2.src.rpm
XFree86-compat-3.3.6-ipl23mdk.src.rpm
freeswan-1.95-alt3.src.rpm
iptables-1.2.5-alt1.src.rpm
kernel-headers-common-1.0-alt1.src.rpm
kernel22-2.2.21-alt3.p4.src.rpm
kernel24-2.4.18-alt2.src.rpm
kernel24-2.4.7-alt3.src.rpm
libpopt-1.7-alt2.src.rpm
mkinitrd-2.7.1-alt6.1.src.rpm
mktemp-1.4-alt1.src.rpm
modutils-2.4.12-alt1.src.rpm
pngcrush-1.5.8-alt2.src.rpm
rpm-3.0.6-ipl29.2mdk.src.rpm
rsync-2.5.3-alt2.src.rpm
vnc-3.3.3r2-alt2.src.rpm
zlib-1.1.3-ipl15mdk.src.rpm

As you can see, there are packages fixed in Sisyphus that are not
mentioned in Debian announcement. Does this mean that Debian
counterparts were not affected in the first place, or that they were
overlooked?

-- 
Dmitry Borodaenko


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Andrew Tait]

Unless your are going to dial into a malicious ISP, I doubt this will be a
problem (AFAIK, but don't quote me).

Most of my servers are stable/testing hybrids, including 2 running 2.4 (and
I have been very happy with them).

Update your sources.list to have both stable and testing (and make sure you
called them that, not potato/woody), and then do an "apt-get install apt".
Which will install testing's apt onto your stable box, along with any
dependencies.

Then add this to your apt.conf file:

APT::Default-Release "stable";

You can then install packages (and dependencies) from testing via "apt-get
install ssh -t testing". Otherwise packages will be pulled from stable.

Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: [EMAIL PROTECTED]
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874

"It's the smell! If there is such a thing." Agent Smith - The Matrix
- Original Message -
From: "Chuck Peters" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; 
Sent: Tuesday, March 12, 2002 5:07 PM
Subject: Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer
overflow


>
> ii  ppp2.4.1-0.bunk.2 Point-to-Point Protocol (PPP) daemon.
>
> How does this affect ppp servers running potato with the unofficial 2.4
> packages provided by Adrian Bunk?
>
> Does anyone have any recommendations for fixing this potential exploit?
>
>
> Thanks,
> Chuck
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Chuck Peters]

ii  ppp2.4.1-0.bunk.2 Point-to-Point Protocol (PPP) daemon.

How does this affect ppp servers running potato with the unofficial 2.4
packages provided by Adrian Bunk?

Does anyone have any recommendations for fixing this potential exploit?


Thanks,
Chuck

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Steve Langasek]

On Tue, Mar 12, 2002 at 05:18:34PM +1300, John Morton wrote:
> On Tuesday 12 March 2002 15:52, Steve Langasek wrote:

> > >   Doesnt dpkg also compile with a static zlib? Why does it not make
> > > this list?

> > What Internet-accessible port are you running dpkg on? :)

> > dpkg doesn't normally run on a network port, so exploiting it doesn't
> > get you local access unless you already have it; and it's not suid, so
> > running it from commandline doesn't let you get root.  Therefore, there
> > is no security hole opened by a vulnerability in dpkg.

> I think this reasoning is flawed - a vulnerable zlib in dpkg would be 
> exploited by a trojaned deb package that someone unwittingly downloads, and 
> as dpkg tends to be run as root, that would buy the attacker root privilages. 

> Admittedly, as things stand, a trojaned package could do many of those things 
> with doctored install scripts anyway, but this vulnerability does matter if 
> the package has to be uncompressed just to examine it.

True.  Regardless of how much of a risk this really is, one of the dpkg
maintainers has indicated that a fixed package is on its way.

Regards,
Steve Langasek
postmodern programmer


pgpbeqMESABzt.pgp
Description: PGP signature

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Matt Zimmerman]

On Mon, Mar 11, 2002 at 08:52:54PM -0600, Steve Langasek wrote:

> dpkg doesn't normally run on a network port, so exploiting it doesn't get
> you local access unless you already have it; and it's not suid, so running
> it from commandline doesn't let you get root.  Therefore, there is no
> security hole opened by a vulnerability in dpkg.

Not so; other, more subtle attack vectors are possible.  For example, the
superuser could use dpkg-deb --extract on a hostile binary .deb.  This
should be a safe operation, given a properly controlled environment, but by
exploiting this bug, dpkg could be tricked into executing arbitrary code.

-- 
 - mdz

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[John Morton]

On Tuesday 12 March 2002 15:52, Steve Langasek wrote:

> > Doesnt dpkg also compile with a static zlib? Why does it not make
> > this list?
>
> What Internet-accessible port are you running dpkg on? :)
>
> dpkg doesn't normally run on a network port, so exploiting it doesn't
> get you local access unless you already have it; and it's not suid, so
> running it from commandline doesn't let you get root.  Therefore, there
> is no security hole opened by a vulnerability in dpkg.

I think this reasoning is flawed - a vulnerable zlib in dpkg would be 
exploited by a trojaned deb package that someone unwittingly downloads, and 
as dpkg tends to be run as root, that would buy the attacker root privilages. 

Admittedly, as things stand, a trojaned package could do many of those things 
with doctored install scripts anyway, but this vulnerability does matter if 
the package has to be uncompressed just to examine it.

John

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Michael Stone]

>   Doesnt dpkg also compile with a static zlib? Why does it not make
> this list?

No, it doesn't. The potato version of dpkg forks a copy of gzip. Any
other versions don't get security support. :)

-- 
Mike Stone

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Andrew Tait]

Unless your are going to dial into a malicious ISP, I doubt this will be a
problem (AFAIK, but don't quote me).

Most of my servers are stable/testing hybrids, including 2 running 2.4 (and
I have been very happy with them).

Update your sources.list to have both stable and testing (and make sure you
called them that, not potato/woody), and then do an "apt-get install apt".
Which will install testing's apt onto your stable box, along with any
dependencies.

Then add this to your apt.conf file:

APT::Default-Release "stable";

You can then install packages (and dependencies) from testing via "apt-get
install ssh -t testing". Otherwise packages will be pulled from stable.

Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: [EMAIL PROTECTED]
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874

"It's the smell! If there is such a thing." Agent Smith - The Matrix
- Original Message -
From: "Chuck Peters" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, March 12, 2002 5:07 PM
Subject: Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer
overflow


>
> ii  ppp2.4.1-0.bunk.2 Point-to-Point Protocol (PPP) daemon.
>
> How does this affect ppp servers running potato with the unofficial 2.4
> packages provided by Adrian Bunk?
>
> Does anyone have any recommendations for fixing this potential exploit?
>
>
> Thanks,
> Chuck
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Steve Langasek]

On Mon, Mar 11, 2002 at 05:16:43PM -0600, Jor-el wrote:
> On Mon, 11 Mar 2002, Michael Stone wrote:

> > -BEGIN PGP SIGNED MESSAGE-

> > - --
> > Debian Security Advisory DSA 122-1 [EMAIL PROTECTED]
> > http://www.debian.org/security/  Michael Stone
> > March 11th, 2002
> > - --

> > Package: zlib, various
> > Vulnerability  : malloc error (double free)
> > Problem-Type   : potential remote root
> > Debian-specific: no

> > The compression library zlib has a flaw in which it attempts to free
> > memory more than once under certain conditions. This can possibly be
> > exploited to run arbitrary code in a program that includes zlib. If a
> > network application running as root is linked to zlib, this could
> > potentially lead to a remote root compromise. No exploits are known at
> > this time. This vulnerability is assigned the CVE candidate name of
> > CAN-2002-0059.

> > The zlib vulnerability is fixed in the Debian zlib package version
> > 1.1.3-5.1. A number of programs either link statically to zlib or include
> > a private copy of zlib code. These programs must also be upgraded
> > to eliminate the zlib vulnerability. The affected packages and fixed
> > versions follow:
> >   amaya 2.4-1potato1
> >   dictd 1.4.9-9potato1
> >   erlang 49.1-10.1
> >   freeamp 2.0.6-2.1
> >   mirrordir 0.10.48-2.1
> >   ppp 2.3.11-1.5
> >   rsync 2.3.2-1.6
> >   vrweb 1.5-5.1

> Hi,

>   Doesnt dpkg also compile with a static zlib? Why does it not make
> this list?

What Internet-accessible port are you running dpkg on? :)

dpkg doesn't normally run on a network port, so exploiting it doesn't
get you local access unless you already have it; and it's not suid, so
running it from commandline doesn't let you get root.  Therefore, there
is no security hole opened by a vulnerability in dpkg.

Steve Langasek
postmodern programmer


pgpZ1xIbVmaoG.pgp
Description: PGP signature

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Matt Zimmerman]

On Mon, Mar 11, 2002 at 05:16:43PM -0600, Jor-el wrote:

> >   amaya 2.4-1potato1
> >   dictd 1.4.9-9potato1
> >   erlang 49.1-10.1
> >   freeamp 2.0.6-2.1
> >   mirrordir 0.10.48-2.1
> >   ppp 2.3.11-1.5
> >   rsync 2.3.2-1.6
> >   vrweb 1.5-5.1
> > 
> Hi,
> 
>   Doesnt dpkg also compile with a static zlib? Why does it not make
> this list?

dpkg in stable (1.6.15) does not link with zlib at all.

-- 
 - mdz

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Adam Heath]

On Mon, 11 Mar 2002, Jor-el wrote:

> > The zlib vulnerability is fixed in the Debian zlib package version
> > 1.1.3-5.1. A number of programs either link statically to zlib or include
> > a private copy of zlib code. These programs must also be upgraded
> > to eliminate the zlib vulnerability. The affected packages and fixed
> > versions follow:
> >   amaya 2.4-1potato1
> >   dictd 1.4.9-9potato1
> >   erlang 49.1-10.1
> >   freeamp 2.0.6-2.1
> >   mirrordir 0.10.48-2.1
> >   ppp 2.3.11-1.5
> >   rsync 2.3.2-1.6
> >   vrweb 1.5-5.1
> >
> Hi,
>
>   Doesnt dpkg also compile with a static zlib? Why does it not make
> this list?

It does, and you are correct.  I guess an upload will be forthcoming from me.
There also happens to be an assertion bug that I have a fix for as well.

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Steve Langasek]

On Tue, Mar 12, 2002 at 05:18:34PM +1300, John Morton wrote:
> On Tuesday 12 March 2002 15:52, Steve Langasek wrote:

> > >   Doesnt dpkg also compile with a static zlib? Why does it not make
> > > this list?

> > What Internet-accessible port are you running dpkg on? :)

> > dpkg doesn't normally run on a network port, so exploiting it doesn't
> > get you local access unless you already have it; and it's not suid, so
> > running it from commandline doesn't let you get root.  Therefore, there
> > is no security hole opened by a vulnerability in dpkg.

> I think this reasoning is flawed - a vulnerable zlib in dpkg would be 
> exploited by a trojaned deb package that someone unwittingly downloads, and 
> as dpkg tends to be run as root, that would buy the attacker root privilages. 

> Admittedly, as things stand, a trojaned package could do many of those things 
> with doctored install scripts anyway, but this vulnerability does matter if 
> the package has to be uncompressed just to examine it.

True.  Regardless of how much of a risk this really is, one of the dpkg
maintainers has indicated that a fixed package is on its way.

Regards,
Steve Langasek
postmodern programmer



msg05941/pgp0.pgp
Description: PGP signature

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Joey Hess]

Jor-el wrote:
>   Doesnt dpkg also compile with a static zlib? Why does it not make
> this list?

Yeah, dpkg-deb does. Presumaly you already have to trust debs you
install, but this could affect using dpkg to examine the contents of
untrusted debs..

-- 
see shy jo

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Matt Zimmerman]

On Mon, Mar 11, 2002 at 08:52:54PM -0600, Steve Langasek wrote:

> dpkg doesn't normally run on a network port, so exploiting it doesn't get
> you local access unless you already have it; and it's not suid, so running
> it from commandline doesn't let you get root.  Therefore, there is no
> security hole opened by a vulnerability in dpkg.

Not so; other, more subtle attack vectors are possible.  For example, the
superuser could use dpkg-deb --extract on a hostile binary .deb.  This
should be a safe operation, given a properly controlled environment, but by
exploiting this bug, dpkg could be tricked into executing arbitrary code.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[John Morton]

On Tuesday 12 March 2002 15:52, Steve Langasek wrote:

> > Doesnt dpkg also compile with a static zlib? Why does it not make
> > this list?
>
> What Internet-accessible port are you running dpkg on? :)
>
> dpkg doesn't normally run on a network port, so exploiting it doesn't
> get you local access unless you already have it; and it's not suid, so
> running it from commandline doesn't let you get root.  Therefore, there
> is no security hole opened by a vulnerability in dpkg.

I think this reasoning is flawed - a vulnerable zlib in dpkg would be 
exploited by a trojaned deb package that someone unwittingly downloads, and 
as dpkg tends to be run as root, that would buy the attacker root privilages. 

Admittedly, as things stand, a trojaned package could do many of those things 
with doctored install scripts anyway, but this vulnerability does matter if 
the package has to be uncompressed just to examine it.

John


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Steve Langasek]

On Mon, Mar 11, 2002 at 05:16:43PM -0600, Jor-el wrote:
> On Mon, 11 Mar 2002, Michael Stone wrote:

> > -BEGIN PGP SIGNED MESSAGE-

> > - --
> > Debian Security Advisory DSA 122-1 [EMAIL PROTECTED]
> > http://www.debian.org/security/  Michael Stone
> > March 11th, 2002
> > - --

> > Package: zlib, various
> > Vulnerability  : malloc error (double free)
> > Problem-Type   : potential remote root
> > Debian-specific: no

> > The compression library zlib has a flaw in which it attempts to free
> > memory more than once under certain conditions. This can possibly be
> > exploited to run arbitrary code in a program that includes zlib. If a
> > network application running as root is linked to zlib, this could
> > potentially lead to a remote root compromise. No exploits are known at
> > this time. This vulnerability is assigned the CVE candidate name of
> > CAN-2002-0059.

> > The zlib vulnerability is fixed in the Debian zlib package version
> > 1.1.3-5.1. A number of programs either link statically to zlib or include
> > a private copy of zlib code. These programs must also be upgraded
> > to eliminate the zlib vulnerability. The affected packages and fixed
> > versions follow:
> >   amaya 2.4-1potato1
> >   dictd 1.4.9-9potato1
> >   erlang 49.1-10.1
> >   freeamp 2.0.6-2.1
> >   mirrordir 0.10.48-2.1
> >   ppp 2.3.11-1.5
> >   rsync 2.3.2-1.6
> >   vrweb 1.5-5.1

> Hi,

>   Doesnt dpkg also compile with a static zlib? Why does it not make
> this list?

What Internet-accessible port are you running dpkg on? :)

dpkg doesn't normally run on a network port, so exploiting it doesn't
get you local access unless you already have it; and it's not suid, so
running it from commandline doesn't let you get root.  Therefore, there
is no security hole opened by a vulnerability in dpkg.

Steve Langasek
postmodern programmer



msg05937/pgp0.pgp
Description: PGP signature

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Jor-el]

On Mon, 11 Mar 2002, Michael Stone wrote:

> -BEGIN PGP SIGNED MESSAGE-
> 
> - --
> Debian Security Advisory DSA 122-1 [EMAIL PROTECTED]
> http://www.debian.org/security/  Michael Stone
> March 11th, 2002
> - --
> 
> Package: zlib, various
> Vulnerability  : malloc error (double free)
> Problem-Type   : potential remote root
> Debian-specific: no
> 
> The compression library zlib has a flaw in which it attempts to free
> memory more than once under certain conditions. This can possibly be
> exploited to run arbitrary code in a program that includes zlib. If a
> network application running as root is linked to zlib, this could
> potentially lead to a remote root compromise. No exploits are known at
> this time. This vulnerability is assigned the CVE candidate name of
> CAN-2002-0059.
> 
> The zlib vulnerability is fixed in the Debian zlib package version
> 1.1.3-5.1. A number of programs either link statically to zlib or include
> a private copy of zlib code. These programs must also be upgraded
> to eliminate the zlib vulnerability. The affected packages and fixed
> versions follow:
>   amaya 2.4-1potato1
>   dictd 1.4.9-9potato1
>   erlang 49.1-10.1
>   freeamp 2.0.6-2.1
>   mirrordir 0.10.48-2.1
>   ppp 2.3.11-1.5
>   rsync 2.3.2-1.6
>   vrweb 1.5-5.1
> 
Hi,

Doesnt dpkg also compile with a static zlib? Why does it not make
this list?

Regards,
Jor-el

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Michael Stone]

>   Doesnt dpkg also compile with a static zlib? Why does it not make
> this list?

No, it doesn't. The potato version of dpkg forks a copy of gzip. Any
other versions don't get security support. :)

-- 
Mike Stone


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Joey Hess]

Jor-el wrote:
>   Doesnt dpkg also compile with a static zlib? Why does it not make
> this list?

Yeah, dpkg-deb does. Presumaly you already have to trust debs you
install, but this could affect using dpkg to examine the contents of
untrusted debs..

-- 
see shy jo


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[Jor-el]

On Mon, 11 Mar 2002, Michael Stone wrote:

> -BEGIN PGP SIGNED MESSAGE-
> 
> - --
> Debian Security Advisory DSA 122-1 [EMAIL PROTECTED]
> http://www.debian.org/security/  Michael Stone
> March 11th, 2002
> - --
> 
> Package: zlib, various
> Vulnerability  : malloc error (double free)
> Problem-Type   : potential remote root
> Debian-specific: no
> 
> The compression library zlib has a flaw in which it attempts to free
> memory more than once under certain conditions. This can possibly be
> exploited to run arbitrary code in a program that includes zlib. If a
> network application running as root is linked to zlib, this could
> potentially lead to a remote root compromise. No exploits are known at
> this time. This vulnerability is assigned the CVE candidate name of
> CAN-2002-0059.
> 
> The zlib vulnerability is fixed in the Debian zlib package version
> 1.1.3-5.1. A number of programs either link statically to zlib or include
> a private copy of zlib code. These programs must also be upgraded
> to eliminate the zlib vulnerability. The affected packages and fixed
> versions follow:
>   amaya 2.4-1potato1
>   dictd 1.4.9-9potato1
>   erlang 49.1-10.1
>   freeamp 2.0.6-2.1
>   mirrordir 0.10.48-2.1
>   ppp 2.3.11-1.5
>   rsync 2.3.2-1.6
>   vrweb 1.5-5.1
> 
Hi,

Doesnt dpkg also compile with a static zlib? Why does it not make
this list?

Regards,
Jor-el


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]