-
March 11th, 2002, 08:10 PM
#1
zlib vulnerability; affects PPP Code in Linux Kernel
From LinuxSecurity.com
Significant Vulnerability Afflicts Linux Systems
By LinuxSecurity
Posted By: Dave Wreski
3/11/2002 13:12
Today in a coordinated effort between all major Linux vendors, a vulnerability in the zlib library was announced, potentially affecting every installed Linux system in existance.
The vulnerability is rooted in the free() function and how it used. Quoting from the EnGarde Secure Linux advisory, "The zlib shared library may attempt to free() a memory region more then once, potentially yielding a system exploitable by certain programs that use it for decompression. Because certain packages include their own zlib implementation or statically link against the system zlib, several packages need to be updated to properly fix this bug."
This vulnerability will also affect some vendors shipping implementations of the open source library within their binary applications.
Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable.
The reason this particular vulnerability is so significant is because many programs implement their own particular version of the zlib library, statically linked with their code, and therefore inheriting the potential for exploit.
No known exploit is available for this vulnerability at this time, but the implications of this vulnerability are significant, and have the potential for remote compromise leading to root privileges on the server.
As vendors post their advisories, LinuxSecurity will continue to update this page and our site, directing the Linux and open source security communities to the authoritative information from their Linux vendor.
Resources
Common Vulnerabilities and Exposures entry for this vulnerability http://cve.mitre.org/cgi-bin/cvename...=CAN-2002-0059
EnGarde Secure Linux Advisory http://www.linuxsecurity.com/advisor...sory-1960.html
Thanks to Ryan W. Maple for assistance with this report. This page will be updated continually, as vendors file their vulnerability reports.
NewsForge is also covering this story.
-
March 13th, 2002, 03:20 PM
#2
Other apps/services which contain the old code include:
gcc 3.0
gpg
rsync
cvs
rrdtool
freeamp
Netscape (fix in the works)
ssh
vnc
XFree86
the latest update about this so far is here : http://www.theregister.co.uk/content/5/24387.html
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|