Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, 11 Mar 2002, Michael Stone wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 122-1 security@debian.org
> http://www.debian.org/security/ Michael Stone
> March 11th, 2002
> - --------------------------------------------------------------------------
>
> Package : zlib, various
> Vulnerability : malloc error (double free)
> Problem-Type : potential remote root
> Debian-specific: no
>
> The compression library zlib has a flaw in which it attempts to free
> memory more than once under certain conditions. This can possibly be
> exploited to run arbitrary code in a program that includes zlib. If a
> network application running as root is linked to zlib, this could
> potentially lead to a remote root compromise. No exploits are known at
> this time. This vulnerability is assigned the CVE candidate name of
> CAN-2002-0059.
>
> The zlib vulnerability is fixed in the Debian zlib package version
> 1.1.3-5.1. A number of programs either link statically to zlib or include
> a private copy of zlib code. These programs must also be upgraded
> to eliminate the zlib vulnerability. The affected packages and fixed
> versions follow:
> amaya 2.4-1potato1
> dictd 1.4.9-9potato1
> erlang 49.1-10.1
> freeamp 2.0.6-2.1
> mirrordir 0.10.48-2.1
> ppp 2.3.11-1.5
> rsync 2.3.2-1.6
> vrweb 1.5-5.1
>
Hi,
Doesnt dpkg also compile with a static zlib? Why does it not make
this list?
Regards,
Jor-el
Reply to: