Quote from: http://www.linuxsecurity.com/article...icle-4582.html

Today in a coordinated effort between all major Linux vendors, a vulnerability in the zlib library was announced, potentially affecting every installed Linux system in existance.
The vulnerability is rooted in the free() function and how it used. Quoting from the EnGarde Secure Linux advisory, "The zlib shared library may attempt to free() a memory region more then once, potentially yielding a system exploitable by certain programs that use it for decompression. Because certain packages include their own zlib implementation or statically link against the system zlib, several packages need to be updated to properly fix this bug."

This vulnerability will also affect some vendors shipping implementations of the open source library within their binary applications.

Packages including X11, rsync, the Linux kernel, QT, mozilla, gcc, vnc, and many other programs that have the ability to use network compression are potentially vulnerable.

The reason this particular vulnerability is so significant is because many programs implement their own particular version of the zlib library, statically linked with their code, and therefore inheriting the potential for exploit.

No known exploit is available for this vulnerability at this time, but the implications of this vulnerability are significant, and have the potential for remote compromise leading to root privileges on the server.

As vendors post their advisories, LinuxSecurity will continue to update this page and our site, directing the Linux and open source security communities to the authoritative information from their Linux vendor.