Security Update: [CSSA-2002-015.0] Linux: Double free in zlib (libz) vulnerability
Date: Thu, 4 Apr 2002 16:38:11 -0800
From: [email protected]
To: [email protected], [email protected],
Subject: Security Update: [CSSA-2002-015.0] Linux: Double free in zlib (libz) vulnerability
--1yeeQ81UyVL57Vl7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
To: [email protected] [email protected] [email protected]
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux: Double free in zlib (libz) vulnerability
Advisory number: CSSA-2002-015.0
Issue date: 2002, April 04
Cross reference:
______________________________________________________________________________
1. Problem Description
From CERT CA-2002-07: There is a bug in the zlib compression
library that may manifest itself as a vulnerability in programs
that are linked with zlib. This may allow an attacker to conduct
a denial-of-service attack, gather information, or execute
arbitrary code.
2. Vulnerable Supported Versions
System Package
----------------------------------------------------------------------
OpenLinux 3.1.1 Server prior to dump-0.4b22-5.i386.rpm
prior to libz-1.1.3-12.i386.rpm
prior to linux-source-cris-2.4.13-15S.i386.rpm
prior to linux-source-i386-2.4.13-15S.i386.rpm
prior to linux-source-ia64-2.4.13-15S.i386.rpm
prior to linux-source-m68k-2.4.13-15S.i386.rpm
prior to linux-source-mips-2.4.13-15S.i386.rpm
prior to linux-source-parisc-2.4.13-15S.i386.rpm
prior to linux-source-ppc-2.4.13-15S.i386.rpm
prior to linux-source-s390-2.4.13-15S.i386.rpm
prior to linux-source-sparc-2.4.13-15S.i386.rpm
prior to linux-source-superH-2.4.13-15S.i386.rpm
prior to libz-devel-1.1.3-12.i386.rpm
prior to rpm-3.0.6-9.i386.rpm
prior to rpm-devel-3.0.6-9.i386.rpm
prior to rsync-2.5.0-5.i386.rpm
prior to dump-0.4b22-5.src.rpm
prior to libz-1.1.3-12.src.rpm
prior to linux-2.4.13-15.src.rpm
prior to rpm-3.0.6-9.src.rpm
prior to rsync-2.5.0-5.src.rpm
prior to libz-devel-static-1.1.3-12.i386.rpm
prior to linux-kernel-binary-2.4.13-15S.i386.rpm
prior to linux-kernel-include-2.4.13-15S.i386.rpm
prior to linux-source-UserMode-2.4.13-15S.i386.rpm
prior to linux-source-alpha-2.4.13-15S.i386.rpm
prior to linux-source-arm-2.4.13-15S.i386.rpm
prior to linux-source-common-2.4.13-15S.i386.rpm
OpenLinux 3.1.1 Workstation prior to dump-0.4b22-5.i386.rpm
prior to libz-1.1.3-12.i386.rpm
prior to libz-devel-1.1.3-12.i386.rpm
prior to libz-devel-static-1.1.3-12.i386.rpm
prior to linux-kernel-binary-2.4.13-15S.i386.rpm
prior to linux-kernel-include-2.4.13-15S.i386.rpm
prior to linux-source-UserMode-2.4.13-15S.i386.rpm
prior to linux-source-alpha-2.4.13-15S.i386.rpm
prior to linux-source-arm-2.4.13-15S.i386.rpm
prior to linux-source-common-2.4.13-15S.i386.rpm
prior to linux-source-cris-2.4.13-15S.i386.rpm
prior to linux-source-i386-2.4.13-15S.i386.rpm
prior to linux-source-ia64-2.4.13-15S.i386.rpm
prior to linux-source-m68k-2.4.13-15S.i386.rpm
prior to linux-source-mips-2.4.13-15S.i386.rpm
prior to linux-source-parisc-2.4.13-15S.i386.rpm
prior to linux-source-ppc-2.4.13-15S.i386.rpm
prior to linux-source-s390-2.4.13-15S.i386.rpm
prior to linux-source-sparc-2.4.13-15S.i386.rpm
prior to linux-source-superH-2.4.13-15S.i386.rpm
prior to rpm-3.0.6-9.i386.rpm
prior to rpm-devel-3.0.6-9.i386.rpm
prior to rsync-2.5.0-5.i386.rpm
prior to dump-0.4b22-5.src.rpm
prior to libz-1.1.3-12.src.rpm
prior to linux-2.4.13-15.src.rpm
prior to rpm-3.0.6-9.src.rpm
prior to rsync-2.5.0-5.src.rpm
3. Solution
The proper solution is to install the latest packages.
4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS
4.2 Packages
69cd9425bd8d6463a8d7e65271b826d7 dump-0.4b22-5.i386.rpm
f2e35b07ceb6c7d0b4b0e258892780f7 libz-1.1.3-12.i386.rpm
56b0d76a38823ee9b6897c02ee879285 linux-source-cris-2.4.13-15S.i386.rpm
b50863ae6ca6708ac8a3fe24dbcab091 linux-source-i386-2.4.13-15S.i386.rpm
ce11d939e8bde711453746b27ff87bf5 linux-source-ia64-2.4.13-15S.i386.rpm
1d3265ddab10d19e089d36f0d72fa5c9 linux-source-m68k-2.4.13-15S.i386.rpm
931bdbd27db23c9a4093fac97400d031 linux-source-mips-2.4.13-15S.i386.rpm
3eccb9efc9639a18dbfe4dadffc19687 linux-source-parisc-2.4.13-15S.i386.rpm
9187ea14d95e8f2b386b9cacce45e437 linux-source-ppc-2.4.13-15S.i386.rpm
6747fe6c69ffe4dd806b1e70c324abdb linux-source-s390-2.4.13-15S.i386.rpm
9b0f08824d11cfa02c3668c6d447a836 linux-source-sparc-2.4.13-15S.i386.rpm
5bd38d7f07b96ce0d07d4f64665de0ef linux-source-superH-2.4.13-15S.i386.rpm
e22682ade4ebac2d7a02d3ac8653ef8f libz-devel-1.1.3-12.i386.rpm
7479f0409a80030bd897f9e0d1dc400d rpm-3.0.6-9.i386.rpm
9470b7f9e89302a9861385233265ebf9 rpm-devel-3.0.6-9.i386.rpm
9c9f5311858606bf9e87e3d7c25093f9 rsync-2.5.0-5.i386.rpm
82621db45e27ab47446851018a0f2d4f libz-devel-static-1.1.3-12.i386.rpm
a5987dd17e564007bfb3948fe2af7abf linux-kernel-binary-2.4.13-15S.i386.rpm
23cd4031e65b1d0a2a7747f0d28ee89d linux-kernel-include-2.4.13-15S.i386.rpm
0679c645b73eb3db5869e1b8c2830ffb linux-source-UserMode-2.4.13-15S.i386.rpm
b565e1be88e50f66591ed59ed7be2fda linux-source-alpha-2.4.13-15S.i386.rpm
12397356ef12cb3cd6c9502bba9c7786 linux-source-arm-2.4.13-15S.i386.rpm
3ec69747d552234318086c3455586b9b linux-source-common-2.4.13-15S.i386.rpm
4.3 Installation
rpm -Fvh libz-1.1.3-12.i386.rpm
rpm -Fvh dump-0.4b22-5.i386.rpm
rpm -Fvh linux-source-cris-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-i386-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-ia64-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-m68k-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-mips-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-parisc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-ppc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-s390-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-sparc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-superH-2.4.13-15S.i386.rpm
rpm -Fvh libz-devel-1.1.3-12.i386.rpm
rpm -Fvh rpm-3.0.6-9.i386.rpm
rpm -Fvh rpm-devel-3.0.6-9.i386.rpm
rpm -Fvh rsync-2.5.0-5.i386.rpm
rpm -Fvh libz-devel-static-1.1.3-12.i386.rpm
rpm -Fvh linux-kernel-binary-2.4.13-15S.i386.rpm
rpm -Fvh linux-kernel-include-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-UserMode-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-alpha-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-arm-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-common-2.4.13-15S.i386.rpm
4.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS
4.5 Source Packages
23cb4c1deb9a5253305d59796b39559e dump-0.4b22-5.src.rpm
01c6767ca6920892e3761d94c268677c libz-1.1.3-12.src.rpm
899cd9d83876602c0beb11833f89ef69 linux-2.4.13-15.src.rpm
84985de23b84a62b05fa97b10acaf3a3 rpm-3.0.6-9.src.rpm
51ffe946113ccc27f5125b25b408669c rsync-2.5.0-5.src.rpm
5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS
5.2 Packages
69cd9425bd8d6463a8d7e65271b826d7 dump-0.4b22-5.i386.rpm
f2e35b07ceb6c7d0b4b0e258892780f7 libz-1.1.3-12.i386.rpm
e22682ade4ebac2d7a02d3ac8653ef8f libz-devel-1.1.3-12.i386.rpm
82621db45e27ab47446851018a0f2d4f libz-devel-static-1.1.3-12.i386.rpm
a5987dd17e564007bfb3948fe2af7abf linux-kernel-binary-2.4.13-15S.i386.rpm
23cd4031e65b1d0a2a7747f0d28ee89d linux-kernel-include-2.4.13-15S.i386.rpm
0679c645b73eb3db5869e1b8c2830ffb linux-source-UserMode-2.4.13-15S.i386.rpm
b565e1be88e50f66591ed59ed7be2fda linux-source-alpha-2.4.13-15S.i386.rpm
12397356ef12cb3cd6c9502bba9c7786 linux-source-arm-2.4.13-15S.i386.rpm
3ec69747d552234318086c3455586b9b linux-source-common-2.4.13-15S.i386.rpm
56b0d76a38823ee9b6897c02ee879285 linux-source-cris-2.4.13-15S.i386.rpm
b50863ae6ca6708ac8a3fe24dbcab091 linux-source-i386-2.4.13-15S.i386.rpm
ce11d939e8bde711453746b27ff87bf5 linux-source-ia64-2.4.13-15S.i386.rpm
1d3265ddab10d19e089d36f0d72fa5c9 linux-source-m68k-2.4.13-15S.i386.rpm
931bdbd27db23c9a4093fac97400d031 linux-source-mips-2.4.13-15S.i386.rpm
3eccb9efc9639a18dbfe4dadffc19687 linux-source-parisc-2.4.13-15S.i386.rpm
9187ea14d95e8f2b386b9cacce45e437 linux-source-ppc-2.4.13-15S.i386.rpm
6747fe6c69ffe4dd806b1e70c324abdb linux-source-s390-2.4.13-15S.i386.rpm
9b0f08824d11cfa02c3668c6d447a836 linux-source-sparc-2.4.13-15S.i386.rpm
5bd38d7f07b96ce0d07d4f64665de0ef linux-source-superH-2.4.13-15S.i386.rpm
7479f0409a80030bd897f9e0d1dc400d rpm-3.0.6-9.i386.rpm
9470b7f9e89302a9861385233265ebf9 rpm-devel-3.0.6-9.i386.rpm
9c9f5311858606bf9e87e3d7c25093f9 rsync-2.5.0-5.i386.rpm
5.3 Installation
rpm -Fvh libz-1.1.3-12.i386.rpm
rpm -Fvh libz-devel-1.1.3-12.i386.rpm
rpm -Fvh libz-devel-static-1.1.3-12.i386.rpm
rpm -Fvh dump-0.4b22-5.i386.rpm
rpm -Fvh linux-kernel-binary-2.4.13-15S.i386.rpm
rpm -Fvh linux-kernel-include-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-UserMode-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-alpha-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-arm-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-common-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-cris-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-i386-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-ia64-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-m68k-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-mips-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-parisc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-ppc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-s390-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-sparc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-superH-2.4.13-15S.i386.rpm
rpm -Fvh rpm-3.0.6-9.i386.rpm
rpm -Fvh rpm-devel-3.0.6-9.i386.rpm
rpm -Fvh rsync-2.5.0-5.i386.rpm
5.4 Source Package Location
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS
5.5 Source Packages
23cb4c1deb9a5253305d59796b39559e dump-0.4b22-5.src.rpm
01c6767ca6920892e3761d94c268677c libz-1.1.3-12.src.rpm
899cd9d83876602c0beb11833f89ef69 linux-2.4.13-15.src.rpm
84985de23b84a62b05fa97b10acaf3a3 rpm-3.0.6-9.src.rpm
51ffe946113ccc27f5125b25b408669c rsync-2.5.0-5.src.rpm
6. References
Specific references for this advisory:
http://www.cert.org/advisories/CA-2002-07.html
http://www.gzip.org/zlib/advisory-2002-03-11.txt
Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html
Caldera UNIX security resources:
http://stage.caldera.com/support/security/
This security fix closes Caldera incidents sr860749, fz520215,
and erg711966.
7. Disclaimer
Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.
8. Acknowledgements
Owen Taylor announced this on February 6, 2002, after Matthias
Clasen found an invalid PNG file that crashed zlib.
______________________________________________________________________________
--1yeeQ81UyVL57Vl7
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (SCO_SV)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjys8fMACgkQbluZssSXDTEAnwCfdhN8HA0rss2e4FCrsf1y5qwr
HncAoKGlwjzpWPn9O974VFQWlCUyWYac
=B1Yp
-----END PGP SIGNATURE-----
--1yeeQ81UyVL57Vl7--