From owner-freebsd-security Mon Mar 11 13:45:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from brea.mc.mpls.visi.com (brea.mc.mpls.visi.com [208.42.156.100]) by hub.freebsd.org (Postfix) with ESMTP id 73BC937B421 for ; Mon, 11 Mar 2002 13:45:24 -0800 (PST) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by brea.mc.mpls.visi.com (Postfix) with ESMTP id C3BF82DDBD6 for ; Mon, 11 Mar 2002 15:45:21 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g2BLiOb22899 for freebsd-security@freebsd.org; Mon, 11 Mar 2002 15:44:24 -0600 (CST) (envelope-from hawkeyd) Date: Mon, 11 Mar 2002 15:44:24 -0600 From: D J Hawkey Jr To: security at FreeBSD Subject: RedHat advisory - RHSA-2002:026-35 zlib double free -- Is this 4.5-R-p1? Message-ID: <20020311154424.A22882@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As the subjext asks, does the 4.5-RELEASE-p1 "zlib inflate error handling" fix the bug addressed by the RH advisory, or is FreeBSD's zlib vulnerable? The relevant portion of the RH advisory: ---8<--- The zlib library provides in-memory compression/decompression functions. The library is widely used throughout Linux and other operating systems. While performing tests on the gdk-pixbuf library, Matthias Clasen created an invalid PNG image that caused libpng to crash. Upon further investigation, this turned out to be a bug in zlib 1.1.3 where certain types of input will cause zlib to free the same area of memory twice (called a "double free"). This bug can be used to crash any program that takes untrusted compressed input. Web browsers or email programs that display image attachments or other programs that uncompress data are particularly affected. This vulnerability makes it easy to perform various denial-of-service attacks against such programs. It is also possible that an attacker could manage a more significant exploit, since the result of a double free is the corruption of the malloc() implementation's data structures. This could include running arbitrary code on local or remote systems. Most packages in Red Hat Linux use the shared zlib library and can be protected against vulnerability by updating to the errata zlib package. However, we have identified a number of packages in Red Hat Linux that either statically link to zlib or contain an internal version of zlib code. Although no exploits for this issue or these packages are currently known to exist, this is a serious vulnerability which could be locally or remotely exploited. All users should upgrade affected packages immediately. --->8--- Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message