On Mon, Mar 11, 2002 at 05:16:43PM -0600, Jor-el wrote: > On Mon, 11 Mar 2002, Michael Stone wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > - -------------------------------------------------------------------------- > > Debian Security Advisory DSA 122-1 security@debian.org > > http://www.debian.org/security/ Michael Stone > > March 11th, 2002 > > - -------------------------------------------------------------------------- > > Package : zlib, various > > Vulnerability : malloc error (double free) > > Problem-Type : potential remote root > > Debian-specific: no > > The compression library zlib has a flaw in which it attempts to free > > memory more than once under certain conditions. This can possibly be > > exploited to run arbitrary code in a program that includes zlib. If a > > network application running as root is linked to zlib, this could > > potentially lead to a remote root compromise. No exploits are known at > > this time. This vulnerability is assigned the CVE candidate name of > > CAN-2002-0059. > > The zlib vulnerability is fixed in the Debian zlib package version > > 1.1.3-5.1. A number of programs either link statically to zlib or include > > a private copy of zlib code. These programs must also be upgraded > > to eliminate the zlib vulnerability. The affected packages and fixed > > versions follow: > > amaya 2.4-1potato1 > > dictd 1.4.9-9potato1 > > erlang 49.1-10.1 > > freeamp 2.0.6-2.1 > > mirrordir 0.10.48-2.1 > > ppp 2.3.11-1.5 > > rsync 2.3.2-1.6 > > vrweb 1.5-5.1 > Hi, > Doesnt dpkg also compile with a static zlib? Why does it not make > this list? What Internet-accessible port are you running dpkg on? :) dpkg doesn't normally run on a network port, so exploiting it doesn't get you local access unless you already have it; and it's not suid, so running it from commandline doesn't let you get root. Therefore, there is no security hole opened by a vulnerability in dpkg. Steve Langasek postmodern programmer
Attachment:
pgpOIChXozcdh.pgp
Description: PGP signature