Results 1 to 4 of 4

Thread: Significant Vulnerability Afflicts Linux Systems

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    108

    Significant Vulnerability Afflicts Linux Systems

    Quote from: http://www.linuxsecurity.com/article...icle-4582.html

    Today in a coordinated effort between all major Linux vendors, a vulnerability in the zlib library was announced, potentially affecting every installed Linux system in existance.
    The vulnerability is rooted in the free() function and how it used. Quoting from the EnGarde Secure Linux advisory, "The zlib shared library may attempt to free() a memory region more then once, potentially yielding a system exploitable by certain programs that use it for decompression. Because certain packages include their own zlib implementation or statically link against the system zlib, several packages need to be updated to properly fix this bug."

    This vulnerability will also affect some vendors shipping implementations of the open source library within their binary applications.

    Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable.

    The reason this particular vulnerability is so significant is because many programs implement their own particular version of the zlib library, statically linked with their code, and therefore inheriting the potential for exploit.

    No known exploit is available for this vulnerability at this time, but the implications of this vulnerability are significant, and have the potential for remote compromise leading to root privileges on the server.

    As vendors post their advisories, LinuxSecurity will continue to update this page and our site, directing the Linux and open source security communities to the authoritative information from their Linux vendor.
    Speak softly and carry a big stick; you will go far. - Theodore Roosevelt

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    133
    All I can say is that hopefully somebody will come up with a patch mighty damn quick.
    If you don\'t learn the rules nobody can accuse of cheating.

  3. #3
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    Most vendors already have fixes from what I have seen on bugtraq.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Two things:
    A) Patches have already been released for almost all major software that's vulnerable (a massive effort -- my kudos to the developers who worked hard to get it fixed fast)
    B) This affects MORE than just linux. Lots of software period uses zlib (including some Windows stuff).

    Again, I'd like to recommend to people that you pop on over to securityfocus.com and sign up for bugtraq, focus-linux and focus-ms. You'll keep on the up and up.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •