Date: Mon, 11 Mar 2002 12:41:04 -0500 (EST)
From: EnGarde Secure Linux <[email protected]>
To: [email protected], [email protected]Subject: [ESA-20020311-008] Double free() in zlib may lead to buffer overflow.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory March 11, 2002 |
| http://www.engardelinux.org/ ESA-20020311-008 |
| |
| Packages: zlib, kernel, popt, rpm, rsync |
| Summary: Double free() in zlib may lead to buffer overflow. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
The zlib shared library may attempt to free() a memory region more than
once, potentially yielding a system exploitable by certain programs that
use it for decompression. Because certain packages include their own
zlib implementation or statically link against the system zlib, several
packages need to be updated to properly fix this bug.
DETAIL
- ------
Matthias Clasen <[email protected]> and Owen Taylor <[email protected]>
discovered this bug while debugging a problem in the gdk-pixbuf
library[1]. The vulnerability arises from an error where a segment
of dynamically allocated memory may be "double free()'d", leading to
corruption of malloc's internal data structures.
This corruption leads to a buffer overflow in the zlib library which
affects any program that links against it. In order to properly fix
this bug the zlib, kernel, rpm and rsync packages all needed to be
updated. Other security and bug-fix updates were included in the
kernel and rsync packages.
A summary of all included updates is included below:
zlib (1.0.4)
------------
* Fixed double free in infblock.c.
kernel (1.0.27)
---------------
* Fixed double free in drivers/net/zlib.c.
* Fixed bug where users could kill system processes using lcall().
popt / rpm (1.0.14)
-------------------
* Re-linked against updated zlib.
rsync (1.0.6)
-------------
* Fixed double free in zlib/infblock.c.
* Fixed some more signedness issues related to ESA-20020125-004.
* Make rsync drop supplementary groups when changing UID's.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0059 to this issue.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059
All users should upgrade immediately following the special SOLUTION.
SOLUTION
- --------
Users of the EnGarde Professional edition can use the Guardian Digital
Secure Network to update their systems automatically.
EnGarde Community users should upgrade to the most recent version
as outlined in this advisory. Updates may be obtained from:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/http://ftp.engardelinux.org/pub/engarde/stable/updates/
Please read and understand this entire section before you attempt to
upgrade these packages.
Initial Steps
-------------
1) Verify the machine is either:
a) booted into a "standard" kernel; or
b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL)
2) Determine which kernels you currently have installed:
# rpm -qa --qf "%{NAME}\n" | grep kernel
3) Download the new kernels that match what you have installed
(based on step 2) from the "UPDATED PACKAGES" section of this
advisory.
4) Download the rest of these updates (zlib, rpm, rsync).
Installation Steps
------------------
5) Install the new kernel packages. The packages will automagically
update /etc/lilo.conf by commenting out any old EnGarde images
and replacing them with the new ones:
# rpm --replacefiles -i <kernel 1> <kernel 2> ...
6) Upgrade the rest of the packages:
# rpm -Uvh popt*.rpm rpm*.rpm rsync*.rpm zlib*.rpm
7) Re-run LILO. If you see any errors then open /etc/lilo.conf in
your favorite text editor and make the appropriate changes:
# /sbin/lilo
Final Steps
-----------
8) If you did not see any LILO errors then your new kernel is now
installed and your machine is ready to be rebooted:
# reboot
A reboot is required to properly complete this update.
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux Community
Edition.
Source Packages:
SRPMS/kernel-2.2.19-1.0.27.src.rpm
MD5 Sum: e7af4de890c24cf9d88a05fdf1d355c5
SRPMS/rpm-3.0.6-1.0.14.src.rpm
MD5 Sum: 6e202c6d02f0b76b9f212ae74c54c211
SRPMS/rsync-2.4.6-1.0.6.src.rpm
MD5 Sum: c31cd404485d7d7022ade4802c4b6f6a
SRPMS/zlib-1.1.3-1.0.4.src.rpm
MD5 Sum: fad84ed3b4e0a5845abc786b131cf5e4
i386 Binary Packages:
i386/kernel-2.2.19-1.0.27.i386.rpm
MD5 Sum: d973f6a0b35d26f6be80744a2069af70
i386/kernel-lids-mods-2.2.19-1.0.27.i386.rpm
MD5 Sum: f80456e25b75dd05c15302e4f51c7091
i386/kernel-smp-lids-mods-2.2.19-1.0.27.i386.rpm
MD5 Sum: 99915dbb34d29d6111d6aa6595bfd932
i386/kernel-smp-mods-2.2.19-1.0.27.i386.rpm
MD5 Sum: cc3e0ae1208cfe1e4b5471ec6b8c5947
i386/popt-1.5-1.0.14.i386.rpm
MD5 Sum: 034d201a831a60bdb65561cd47179241
i386/rpm-3.0.6-1.0.14.i386.rpm
MD5 Sum: 2319064a6c566b5f7611bc0cb2ba8192
i386/rsync-2.4.6-1.0.6.i386.rpm
MD5 Sum: 8711acaf8861a69ff2f93e5c04be569a
i386/zlib-1.1.3-1.0.4.i386.rpm
MD5 Sum: 42afd482da0a6c845d221487ab274090
i686 Binary Packages:
i686/kernel-2.2.19-1.0.27.i686.rpm
MD5 Sum: 41f7dea256382e8fe8c931ae7a8b316b
i686/kernel-lids-mods-2.2.19-1.0.27.i686.rpm
MD5 Sum: 02f25cc810bbcef6c9da64ae9421304d
i686/kernel-smp-lids-mods-2.2.19-1.0.27.i686.rpm
MD5 Sum: 3ce8fd883a2afb9bbca42623882ac42c
i686/kernel-smp-mods-2.2.19-1.0.27.i686.rpm
MD5 Sum: 719eefbc2e4fbff557cf61dd972e8273
i686/popt-1.5-1.0.14.i686.rpm
MD5 Sum: e97853c5d1285f6aaf891e59cf71abe1
i686/rpm-3.0.6-1.0.14.i686.rpm
MD5 Sum: be79daaa06b387164a862601077f5e03
i686/rsync-2.4.6-1.0.6.i686.rpm
MD5 Sum: ae64525c60870f7153c79ee80a022941
i686/zlib-1.1.3-1.0.4.i686.rpm
MD5 Sum: f5dec2b85b56dcfcb88bd8526d4ab6e2
REFERENCES
- ----------
[1] http://bugzilla.gnome.org/show_bug.cgi?id=70594
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery/handling of this bug goes to:
Mark J Cox <[email protected]>
Matthias Clasen <[email protected]>
Owen Taylor <[email protected]>
zlib's Official Web Site:
http://www.gzip.org/zlib
Security Contact: [email protected]
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20020311-008-zlib,v 1.7 2002/03/11 15:29:32 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <[email protected]>
Copyright 2002, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8jOw4HD5cqd57fu0RAqqOAJ93I7HP5YUF7VTlMaHYFs1F8zPtRQCdE8Dc
L+6tGjQH3C4S/APi2XFwv+A=
=QDjZ
-----END PGP SIGNATURE-----
