Vulnerability in zlib library

[Update 20 Mar 2002:
Added kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC
packages as the previous fix caused another denial of service
vulnerability; thanks to Const Kaplinsky for reporting this]

[Update 14 Mar 2002:
Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing
the zlib fix; added missing kernel-headers package for 6.2.]

The zlib library provides in-memory compression/decompression
functions. The library is widely used throughout Linux and other
operating
systems.

While performing tests on the gdk-pixbuf library, Matthias Clasen created
an invalid PNG image that caused libpng to crash. Upon further
investigation, this turned out to be a bug in zlib 1.1.3 where certain
types of input will cause zlib to free the same area of memory twice
(called a "double free").

This bug can be used to crash any program that takes untrusted
compressed input. Web browsers or email programs that
display image attachments or other programs that uncompress data are
particularly affected. This vulnerability makes it easy to perform
various
denial-of-service attacks against such programs.

It is also possible that an attacker could manage a more significant
exploit, since the result of a double free is the corruption of the
malloc() implementation's data structures. This could include running
arbitrary code on local or remote systems.

Most packages in Red Hat Linux use the shared zlib library and can be
protected against vulnerability by updating to the errata zlib
package. However, we have identified a number of packages in Red Hat
Linux that either statically link to zlib or contain an internal
version of zlib code.

Although no exploits for this issue or these packages are currently
known to exist, this is a serious vulnerability which could be
locally or remotely exploited. All users should upgrade affected packages
immediately.

Additionally, if you have any programs that you have compiled yourself,
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. However, if any programs that
decompress arbitrary data statically link to zlib or use their own
version
of the zlib code internally, then they need to be patched or
recompiled.

The following details apply to the main Red Hat Linux distribution
only. Please see advisory RHSA-2002:027 for Powertools packages.

cvs: cvs is a version control system. The cvs package has been rebuilt to
link against the shared system zlib instead of the internal version.

Additionally, cvs has been updated to version 1.11.1p1 for Red Hat Linux
6.2, 7.0 and 7.1 which also corrects a possible security vulnerability due
to an improperly initialized global variable. (CAN-2002-0092)

dump: The dump package contains programs for backing up and restoring
filesystems. It links statically to zlib and has been rebuilt
against the errata zlib package. Red Hat Linux 7, 7.1, and 7.2
packages have also been upgraded to dump-0.4b25, which includes
many non-security fixes.

gcc3: The gcc3 package contains the GNU Compiler Collection version
3.0. It has been updated to version 3.0.4 and patched to link against
the system zlib instead of the internal version.

libgcj: The libgcj package includes the Java runtime library, which is
needed to run Java programs compiled using the gcc Java compiler
(gcj). libgcj has been patched to use the shared system zlib.

kernel: The Linux kernel internally contains several variants of zlib
code. However, ppp compression is the only implementation that is used with
untrusted data streams. This issue has been patched. New kernel errata
packages are included for Red Hat Linux 6.2 and 7.

Users of Red Hat Linux 7.1, or 7.2 should update to the currently
released kernel errata RHSA-2002-028 (2.4.9-31) which already contains this
fix.

Netscape Navigator: Users are advised to obtain an update from Netscape.

rsync: rsync is a program for synchronizing files over a network.
rsync uses a modified version of zlib internally. These errata
packages patch this internal version of zlib.

The rsync update package also fixes another security issue where rsync did
not call setgroups() before dropping the privileges of the connecting user.
Hence, it is possible for users to retain the group IDs of any supplemental
groups that rsync was started in (for example, supplementary groups of the
root user), allowing users to access files they may not otherwise be able
to access. Thanks to Martin Pool and Andrew Tridgell for alerting us to
this issue. CAN-2002-0080.

VNC: VNC is a remote display system in Powertools 6.2. VNC has been
patched to use the system zlib library.

In addition, there is a small HTTP server implementation in the VNC server
which can be made to wait indefinitely for input, thereby freezing an
active VNC session. The VNC packages recommended by this advisory have
been patched to fix this issue. Users of VNC should be aware that the
program is designed for use on a trusted network.

zlib: The zlib library has been updated with a patch to fix the
aforementioned vulnerability.

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains
the desired RPMs.

The procedure for upgrading the kernel is documented at:

http://www.redhat.com/support/docs/howto/kernel-upgrade/

Please read the directions for your architecture carefully before
proceeding with the kernel upgrade.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

https://www.redhat.com/security/data/cve/CVE-2002-0059.html
https://www.redhat.com/security/data/cve/CVE-2002-0080.html
https://www.redhat.com/security/data/cve/CVE-2002-0092.html
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0059 to the zlib issue. Red Hat would like to
thank CERT/CC for their help in coordinating this issue with other vendors

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0092
http://bugzilla.gnome.org/show_bug.cgi?id=70594

double, free, zlib