Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » CSSA-2002-015.0-Linux: Double free in zlib (libz) vulnerability

CSSA-2002-015.0-Linux: Double free in zlib (libz) vulnerability

by Nikola Strahija on April 5th, 2002 From CERT CA-2002-07: There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code.


2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------

OpenLinux 3.1.1 Server prior to dump-0.4b22-5.i386.rpm
prior to libz-1.1.3-12.i386.rpm
prior to linux-source-cris-2.4.13-15S.i386.rpm
prior to linux-source-i386-2.4.13-15S.i386.rpm
prior to linux-source-ia64-2.4.13-15S.i386.rpm
prior to linux-source-m68k-2.4.13-15S.i386.rpm
prior to linux-source-mips-2.4.13-15S.i386.rpm
prior to linux-source-parisc-2.4.13-15S.i386.rpm
prior to linux-source-ppc-2.4.13-15S.i386.rpm
prior to linux-source-s390-2.4.13-15S.i386.rpm
prior to linux-source-sparc-2.4.13-15S.i386.rpm
prior to linux-source-superH-2.4.13-15S.i386.rpm
prior to libz-devel-1.1.3-12.i386.rpm
prior to rpm-3.0.6-9.i386.rpm
prior to rpm-devel-3.0.6-9.i386.rpm
prior to rsync-2.5.0-5.i386.rpm
prior to dump-0.4b22-5.src.rpm
prior to libz-1.1.3-12.src.rpm
prior to linux-2.4.13-15.src.rpm
prior to rpm-3.0.6-9.src.rpm
prior to rsync-2.5.0-5.src.rpm
prior to libz-devel-static-1.1.3-12.i386.rpm
prior to linux-kernel-binary-2.4.13-15S.i386.rpm
prior to linux-kernel-include-2.4.13-15S.i386.rpm
prior to linux-source-UserMode-2.4.13-15S.i386.rpm
prior to linux-source-alpha-2.4.13-15S.i386.rpm
prior to linux-source-arm-2.4.13-15S.i386.rpm
prior to linux-source-common-2.4.13-15S.i386.rpm

OpenLinux 3.1.1 Workstation prior to dump-0.4b22-5.i386.rpm
prior to libz-1.1.3-12.i386.rpm
prior to libz-devel-1.1.3-12.i386.rpm
prior to libz-devel-static-1.1.3-12.i386.rpm
prior to linux-kernel-binary-2.4.13-15S.i386.rpm
prior to linux-kernel-include-2.4.13-15S.i386.rpm
prior to linux-source-UserMode-2.4.13-15S.i386.rpm
prior to linux-source-alpha-2.4.13-15S.i386.rpm
prior to linux-source-arm-2.4.13-15S.i386.rpm
prior to linux-source-common-2.4.13-15S.i386.rpm
prior to linux-source-cris-2.4.13-15S.i386.rpm
prior to linux-source-i386-2.4.13-15S.i386.rpm
prior to linux-source-ia64-2.4.13-15S.i386.rpm
prior to linux-source-m68k-2.4.13-15S.i386.rpm
prior to linux-source-mips-2.4.13-15S.i386.rpm
prior to linux-source-parisc-2.4.13-15S.i386.rpm
prior to linux-source-ppc-2.4.13-15S.i386.rpm
prior to linux-source-s390-2.4.13-15S.i386.rpm
prior to linux-source-sparc-2.4.13-15S.i386.rpm
prior to linux-source-superH-2.4.13-15S.i386.rpm
prior to rpm-3.0.6-9.i386.rpm
prior to rpm-devel-3.0.6-9.i386.rpm
prior to rsync-2.5.0-5.i386.rpm
prior to dump-0.4b22-5.src.rpm
prior to libz-1.1.3-12.src.rpm
prior to linux-2.4.13-15.src.rpm
prior to rpm-3.0.6-9.src.rpm
prior to rsync-2.5.0-5.src.rpm


3. Solution

The proper solution is to install the latest packages.


4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS

4.2 Packages

69cd9425bd8d6463a8d7e65271b826d7 dump-0.4b22-5.i386.rpm
f2e35b07ceb6c7d0b4b0e258892780f7 libz-1.1.3-12.i386.rpm
56b0d76a38823ee9b6897c02ee879285 linux-source-cris-2.4.13-15S.i386.rpm
b50863ae6ca6708ac8a3fe24dbcab091 linux-source-i386-2.4.13-15S.i386.rpm
ce11d939e8bde711453746b27ff87bf5 linux-source-ia64-2.4.13-15S.i386.rpm
1d3265ddab10d19e089d36f0d72fa5c9 linux-source-m68k-2.4.13-15S.i386.rpm
931bdbd27db23c9a4093fac97400d031 linux-source-mips-2.4.13-15S.i386.rpm
3eccb9efc9639a18dbfe4dadffc19687 linux-source-parisc-2.4.13-15S.i386.rpm
9187ea14d95e8f2b386b9cacce45e437 linux-source-ppc-2.4.13-15S.i386.rpm
6747fe6c69ffe4dd806b1e70c324abdb linux-source-s390-2.4.13-15S.i386.rpm
9b0f08824d11cfa02c3668c6d447a836 linux-source-sparc-2.4.13-15S.i386.rpm
5bd38d7f07b96ce0d07d4f64665de0ef linux-source-superH-2.4.13-15S.i386.rpm
e22682ade4ebac2d7a02d3ac8653ef8f libz-devel-1.1.3-12.i386.rpm
7479f0409a80030bd897f9e0d1dc400d rpm-3.0.6-9.i386.rpm
9470b7f9e89302a9861385233265ebf9 rpm-devel-3.0.6-9.i386.rpm
9c9f5311858606bf9e87e3d7c25093f9 rsync-2.5.0-5.i386.rpm
82621db45e27ab47446851018a0f2d4f libz-devel-static-1.1.3-12.i386.rpm
a5987dd17e564007bfb3948fe2af7abf linux-kernel-binary-2.4.13-15S.i386.rpm
23cd4031e65b1d0a2a7747f0d28ee89d linux-kernel-include-2.4.13-15S.i386.rpm
0679c645b73eb3db5869e1b8c2830ffb linux-source-UserMode-2.4.13-15S.i386.rpm
b565e1be88e50f66591ed59ed7be2fda linux-source-alpha-2.4.13-15S.i386.rpm
12397356ef12cb3cd6c9502bba9c7786 linux-source-arm-2.4.13-15S.i386.rpm
3ec69747d552234318086c3455586b9b linux-source-common-2.4.13-15S.i386.rpm

4.3 Installation

rpm -Fvh libz-1.1.3-12.i386.rpm
rpm -Fvh dump-0.4b22-5.i386.rpm
rpm -Fvh linux-source-cris-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-i386-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-ia64-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-m68k-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-mips-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-parisc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-ppc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-s390-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-sparc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-superH-2.4.13-15S.i386.rpm
rpm -Fvh libz-devel-1.1.3-12.i386.rpm
rpm -Fvh rpm-3.0.6-9.i386.rpm
rpm -Fvh rpm-devel-3.0.6-9.i386.rpm
rpm -Fvh rsync-2.5.0-5.i386.rpm
rpm -Fvh libz-devel-static-1.1.3-12.i386.rpm
rpm -Fvh linux-kernel-binary-2.4.13-15S.i386.rpm
rpm -Fvh linux-kernel-include-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-UserMode-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-alpha-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-arm-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-common-2.4.13-15S.i386.rpm

4.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/SRPMS

4.5 Source Packages

23cb4c1deb9a5253305d59796b39559e dump-0.4b22-5.src.rpm
01c6767ca6920892e3761d94c268677c libz-1.1.3-12.src.rpm
899cd9d83876602c0beb11833f89ef69 linux-2.4.13-15.src.rpm
84985de23b84a62b05fa97b10acaf3a3 rpm-3.0.6-9.src.rpm
51ffe946113ccc27f5125b25b408669c rsync-2.5.0-5.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS

5.2 Packages

69cd9425bd8d6463a8d7e65271b826d7 dump-0.4b22-5.i386.rpm
f2e35b07ceb6c7d0b4b0e258892780f7 libz-1.1.3-12.i386.rpm
e22682ade4ebac2d7a02d3ac8653ef8f libz-devel-1.1.3-12.i386.rpm
82621db45e27ab47446851018a0f2d4f libz-devel-static-1.1.3-12.i386.rpm
a5987dd17e564007bfb3948fe2af7abf linux-kernel-binary-2.4.13-15S.i386.rpm
23cd4031e65b1d0a2a7747f0d28ee89d linux-kernel-include-2.4.13-15S.i386.rpm
0679c645b73eb3db5869e1b8c2830ffb linux-source-UserMode-2.4.13-15S.i386.rpm
b565e1be88e50f66591ed59ed7be2fda linux-source-alpha-2.4.13-15S.i386.rpm
12397356ef12cb3cd6c9502bba9c7786 linux-source-arm-2.4.13-15S.i386.rpm
3ec69747d552234318086c3455586b9b linux-source-common-2.4.13-15S.i386.rpm
56b0d76a38823ee9b6897c02ee879285 linux-source-cris-2.4.13-15S.i386.rpm
b50863ae6ca6708ac8a3fe24dbcab091 linux-source-i386-2.4.13-15S.i386.rpm
ce11d939e8bde711453746b27ff87bf5 linux-source-ia64-2.4.13-15S.i386.rpm
1d3265ddab10d19e089d36f0d72fa5c9 linux-source-m68k-2.4.13-15S.i386.rpm
931bdbd27db23c9a4093fac97400d031 linux-source-mips-2.4.13-15S.i386.rpm
3eccb9efc9639a18dbfe4dadffc19687 linux-source-parisc-2.4.13-15S.i386.rpm
9187ea14d95e8f2b386b9cacce45e437 linux-source-ppc-2.4.13-15S.i386.rpm
6747fe6c69ffe4dd806b1e70c324abdb linux-source-s390-2.4.13-15S.i386.rpm
9b0f08824d11cfa02c3668c6d447a836 linux-source-sparc-2.4.13-15S.i386.rpm
5bd38d7f07b96ce0d07d4f64665de0ef linux-source-superH-2.4.13-15S.i386.rpm
7479f0409a80030bd897f9e0d1dc400d rpm-3.0.6-9.i386.rpm
9470b7f9e89302a9861385233265ebf9 rpm-devel-3.0.6-9.i386.rpm
9c9f5311858606bf9e87e3d7c25093f9 rsync-2.5.0-5.i386.rpm

5.3 Installation

rpm -Fvh libz-1.1.3-12.i386.rpm
rpm -Fvh libz-devel-1.1.3-12.i386.rpm
rpm -Fvh libz-devel-static-1.1.3-12.i386.rpm
rpm -Fvh dump-0.4b22-5.i386.rpm
rpm -Fvh linux-kernel-binary-2.4.13-15S.i386.rpm
rpm -Fvh linux-kernel-include-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-UserMode-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-alpha-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-arm-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-common-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-cris-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-i386-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-ia64-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-m68k-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-mips-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-parisc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-ppc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-s390-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-sparc-2.4.13-15S.i386.rpm
rpm -Fvh linux-source-superH-2.4.13-15S.i386.rpm
rpm -Fvh rpm-3.0.6-9.i386.rpm
rpm -Fvh rpm-devel-3.0.6-9.i386.rpm
rpm -Fvh rsync-2.5.0-5.i386.rpm

5.4 Source Package Location

ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/SRPMS

5.5 Source Packages

23cb4c1deb9a5253305d59796b39559e dump-0.4b22-5.src.rpm
01c6767ca6920892e3761d94c268677c libz-1.1.3-12.src.rpm
899cd9d83876602c0beb11833f89ef69 linux-2.4.13-15.src.rpm
84985de23b84a62b05fa97b10acaf3a3 rpm-3.0.6-9.src.rpm
51ffe946113ccc27f5125b25b408669c rsync-2.5.0-5.src.rpm


6. References

Specific references for this advisory:

http://www.cert.org/advisories/CA-2002-07.html
http://www.gzip.org/zlib/advisory-2002-03-11.txt


Caldera OpenLinux security resources:
http://www.caldera.com/support/security/index.html

Caldera UNIX security resources:
http://stage.caldera.com/support/security/

This security fix closes Caldera incidents sr860749, fz520215,
and erg711966.


7. Disclaimer

Caldera International, Inc. is not responsible for the misuse
of any of the information we provide on this website and/or
through our security advisories. Our advisories are a service
to our customers intended to promote secure installation and
use of Caldera products.


8. Acknowledgements

Owen Taylor announced this on February 6, 2002, after Matthias
Clasen found an invalid PNG file that crashed zlib.

______________________________________________________________________________


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »