[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

On Mon, 11 Mar 2002, Michael Stone wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> 
> - --------------------------------------------------------------------------
> Debian Security Advisory DSA 122-1                     security@debian.org
> http://www.debian.org/security/                              Michael Stone
> March 11th, 2002
> - --------------------------------------------------------------------------
> 
> Package        : zlib, various
> Vulnerability  : malloc error (double free)
> Problem-Type   : potential remote root
> Debian-specific: no
> 
> The compression library zlib has a flaw in which it attempts to free
> memory more than once under certain conditions. This can possibly be
> exploited to run arbitrary code in a program that includes zlib. If a
> network application running as root is linked to zlib, this could
> potentially lead to a remote root compromise. No exploits are known at
> this time. This vulnerability is assigned the CVE candidate name of
> CAN-2002-0059.
> 
> The zlib vulnerability is fixed in the Debian zlib package version
> 1.1.3-5.1. A number of programs either link statically to zlib or include
> a private copy of zlib code. These programs must also be upgraded
> to eliminate the zlib vulnerability. The affected packages and fixed
> versions follow:
>   amaya 2.4-1potato1
>   dictd 1.4.9-9potato1
>   erlang 49.1-10.1
>   freeamp 2.0.6-2.1
>   mirrordir 0.10.48-2.1
>   ppp 2.3.11-1.5
>   rsync 2.3.2-1.6
>   vrweb 1.5-5.1
> 
Hi,

	Doesnt dpkg also compile with a static zlib? Why does it not make
this list?

Regards,
Jor-el
Reply to: