March 12th, 2002, 10:14 AM
Significant Vulnerability Afflicts Linux Systems
Quote from: http://www.linuxsecurity.com/article...icle-4582.html
Today in a coordinated effort between all major Linux vendors, a vulnerability in the zlib library was announced, potentially affecting every installed Linux system in existance.
The vulnerability is rooted in the free() function and how it used. Quoting from the EnGarde Secure Linux advisory, "The zlib shared library may attempt to free() a memory region more then once, potentially yielding a system exploitable by certain programs that use it for decompression. Because certain packages include their own zlib implementation or statically link against the system zlib, several packages need to be updated to properly fix this bug."
This vulnerability will also affect some vendors shipping implementations of the open source library within their binary applications.
Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable.
The reason this particular vulnerability is so significant is because many programs implement their own particular version of the zlib library, statically linked with their code, and therefore inheriting the potential for exploit.
No known exploit is available for this vulnerability at this time, but the implications of this vulnerability are significant, and have the potential for remote compromise leading to root privileges on the server.
As vendors post their advisories, LinuxSecurity will continue to update this page and our site, directing the Linux and open source security communities to the authoritative information from their Linux vendor.
Speak softly and carry a big stick; you will go far. - Theodore Roosevelt
March 12th, 2002, 11:37 AM
All I can say is that hopefully somebody will come up with a patch mighty damn quick.
If you don\'t learn the rules nobody can accuse of cheating.
March 12th, 2002, 01:34 PM
Most vendors already have fixes from what I have seen on bugtraq.
\"Ignorance is bliss....
but only for your enemy\"
March 12th, 2002, 04:05 PM
A) Patches have already been released for almost all major software that's vulnerable (a massive effort -- my kudos to the developers who worked hard to get it fixed fast)
B) This affects MORE than just linux. Lots of software period uses zlib (including some Windows stuff).
Again, I'd like to recommend to people that you pop on over to securityfocus.com and sign up for bugtraq, focus-linux and focus-ms. You'll keep on the up and up.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?