RHSA-2002:027-22-Vulnerability in zlib library (powertools)

RHSA-2002:027-22-Vulnerability in zlib library (powertools)

by Nikola Strahija on March 12th, 2002 While performing tests on the gdk-pixbuf library, Matthias Clasen created an invalid PNG image that caused libpng to crash. Upon further investigation, this turned out to be a bug in zlib 1.1.3. Certain input will cause zlib to free an area of memory twice (also called a "double free").

This bug can be used to crash any program that takes untrusted compressed
input. Web browsers or email programs that display image attachments or
other programs that uncompress data are particularly affected. This
vulnerability makes it easy to perform various denial-of-service attacks
against such programs.

However, since the result of a double free is the corruption of the malloc
implementation's data structures, it is possible that an attacker could
manage a more significant exploit, such as running arbitrary code on the
affected system.

2. Relevant releases/architectures:

Red Hat Powertools 6.0 - alpha, i386, sparc

Red Hat Powertools 6.1 - alpha, i386, sparc

Red Hat Powertools 6.2 - alpha, i386, sparc

Red Hat Powertools 7.0 - alpha, i386

Red Hat Powertools 7.1 - alpha, i386

3. Problem description:

Most of the packages in Red Hat Linux use the shared zlib library and can
be protected against vulnerability by updating to the errata zlib
package. However, there have been a number of packages identified in Red
Hat Linux that either statically link to zlib or contain an internal
version of zlib code.

Although no exploits for this issue or the affected packages are currently
known to exist, this is a serious vulnerability that could be locally or
remotely exploited. All users should upgrade affected packages immediately.

Additionally, if you have any programs that you have compiled yourself
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. If any programs that decompress
arbitrary data either statically link to zlib or use their own version of
the zlib code internally, then they need to be patched or recompiled.

The following details apply to the Powertools distribution only;
for packages included with the main Red Hat Linux distribution
please see advisory RHSA-2002:026

abiword: Powertools 6.2 shipped with both statically and
dynamically linked versions of AbiWord. The statically linked version
is linked against the vulnerable zlib. It is recommended that users
only use the dynamic version.

acroread: The acroread package in Powertools 7.0 contains Acrobat
Reader, a PDF viewer. This package contains an internal version of
zlib which may be vulnerable. An update is not yet available, so users are
advised to view PDF documents using xpdf or ghostview.

amaya: Amaya is a Web browser/authoring tool. Amaya in Powertools 7.1
has been patched to use the system zlib, libjpeg, and libpng libraries
instead of the internal static versions.

flash: The flash package in Powertools 6.2 and 7.0 contains an
unofficial Shockwave(TM) Flash2/Flash3 plug-in for Netscape which uses
an internal version of zlib. This plug-in conflicts with the official
flash plug-in included in the netscape package and should not be used.

freeamp: Freeamp is an MP3 audio player in Powertools 6.2 and 7.0 which
uses zlib when decompressing themes. Freeamp has been patched
to use the system zlib library instead of the internal version.

qt-embedded: Qt is a GUI toolkit for embedded devices. qt-embedded has
been updated to version 2.3.2 and recompiled against the errata zlib library.

vnc: VNC is a remote display system in Powertools 6.2. VNC has been
patched to use the system zlib library.

In addition, there is a small HTTP server implementation in the VNC server
which can be made to wait indefinitely for input, thereby freezing an
active VNC session. The VNC packages recommended by this advisory have
been patched to fix this issue, as well. Users of VNC should be aware the
program is designed for use on a trusted network.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:


This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed ( for more info):

6. RPMs required:

Red Hat Powertools 6.2:





Red Hat Powertools 7.0:




Red Hat Powertools 7.1:




7. Verification:

MD5 sum Package Name
beb533f4769300842e9690573f8f5042 6.2/en/powertools/SRPMS/vnc-3.3.3-2.3.src.rpm
45f7de3b77c693141214ea0858bdd758 6.2/en/powertools/i386/vnc-3.3.3-2.3.i386.rpm
dcd4dac892444055519cbb5f4dbf3d25 7.1/en/powertools/SRPMS/amaya-4.0-4.src.rpm
9d0d12d364e6e760db9465286ae9d0c8 7.1/en/powertools/i386/amaya-4.0-4.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key
is available at:

You can verify each package with the following command:
rpm --checksig

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
rpm --checksig --nogpg

8. References:

The Common Vulnerabilities and Exposures project ( has
assigned the name CAN-2002-0059 to this issue. Red Hat would like to thank
CERT/CC for their help in coordinating this issue with other vendors.

Copyright(c) 2000, 2001, 2002 Red Hat, Inc.

