--------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory Synopsis: Vulnerability in zlib library (powertools) Advisory ID: RHSA-2002:027-22 Issue date: 2002-02-11 Updated on: 2002-03-11 Product: Red Hat Powertools Keywords: zlib double free Cross references: RHSA-2002:026 Obsoletes: --------------------------------------------------------------------- 1. Topic: The zlib compression library provides in-memory compression and decompression functions. It is widely used throughout Linux and other operating systems. While performing tests on the gdk-pixbuf library, Matthias Clasen created an invalid PNG image that caused libpng to crash. Upon further investigation, this turned out to be a bug in zlib 1.1.3. Certain input will cause zlib to free an area of memory twice (also called a "double free"). This bug can be used to crash any program that takes untrusted compressed input. Web browsers or email programs that display image attachments or other programs that uncompress data are particularly affected. This vulnerability makes it easy to perform various denial-of-service attacks against such programs. However, since the result of a double free is the corruption of the malloc implementation's data structures, it is possible that an attacker could manage a more significant exploit, such as running arbitrary code on the affected system. 2. Relevant releases/architectures: Red Hat Powertools 6.0 - alpha, i386, sparc Red Hat Powertools 6.1 - alpha, i386, sparc Red Hat Powertools 6.2 - alpha, i386, sparc Red Hat Powertools 7.0 - alpha, i386 Red Hat Powertools 7.1 - alpha, i386 3. Problem description: Most of the packages in Red Hat Linux use the shared zlib library and can be protected against vulnerability by updating to the errata zlib package. However, there have been a number of packages identified in Red Hat Linux that either statically link to zlib or contain an internal version of zlib code. Although no exploits for this issue or the affected packages are currently known to exist, this is a serious vulnerability that could be locally or remotely exploited. All users should upgrade affected packages immediately. Additionally, if you have any programs that you have compiled yourself you should check to see if they use zlib. If they link to the shared zlib library then they will not be vulnerable once the shared zlib library is updated to the errata package. If any programs that decompress arbitrary data either statically link to zlib or use their own version of the zlib code internally, then they need to be patched or recompiled. The following details apply to the Powertools distribution only; for packages included with the main Red Hat Linux distribution please see advisory RHSA-2002:026 abiword: Powertools 6.2 shipped with both statically and dynamically linked versions of AbiWord. The statically linked version is linked against the vulnerable zlib. It is recommended that users only use the dynamic version. acroread: The acroread package in Powertools 7.0 contains Acrobat Reader, a PDF viewer. This package contains an internal version of zlib which may be vulnerable. An update is not yet available, so users are advised to view PDF documents using xpdf or ghostview. amaya: Amaya is a Web browser/authoring tool. Amaya in Powertools 7.1 has been patched to use the system zlib, libjpeg, and libpng libraries instead of the internal static versions. flash: The flash package in Powertools 6.2 and 7.0 contains an unofficial Shockwave(TM) Flash2/Flash3 plug-in for Netscape which uses an internal version of zlib. This plug-in conflicts with the official flash plug-in included in the netscape package and should not be used. freeamp: Freeamp is an MP3 audio player in Powertools 6.2 and 7.0 which uses zlib when decompressing themes. Freeamp has been patched to use the system zlib library instead of the internal version. qt-embedded: Qt is a GUI toolkit for embedded devices. qt-embedded has been updated to version 2.3.2 and recompiled against the errata zlib library. vnc: VNC is a remote display system in Powertools 6.2. VNC has been patched to use the system zlib library. In addition, there is a small HTTP server implementation in the VNC server which can be made to wait indefinitely for input, thereby freezing an active VNC session. The VNC packages recommended by this advisory have been patched to fix this issue, as well. Users of VNC should be aware the program is designed for use on a trusted network. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory only contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info): 6. RPMs required: Red Hat Powertools 6.2: SRPMS: ftp://updates.redhat.com/6.2/en/powertools/SRPMS/vnc-3.3.3-2.3.src.rpm ftp://updates.redhat.com/6.2/en/powertools/SRPMS/freeamp-2.0.8-3.62.src.rpm alpha: ftp://updates.redhat.com/6.2/en/powertools/alpha/vnc-3.3.3-2.3.alpha.rpm ftp://updates.redhat.com/6.2/en/powertools/alpha/freeamp-2.0.8-3.62.alpha.rpm i386: ftp://updates.redhat.com/6.2/en/powertools/i386/vnc-3.3.3-2.3.i386.rpm ftp://updates.redhat.com/6.2/en/powertools/i386/freeamp-2.0.8-3.62.i386.rpm sparc: ftp://updates.redhat.com/6.2/en/powertools/sparc/vnc-3.3.3-2.3.sparc.rpm Red Hat Powertools 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/powertools/SRPMS/freeamp-2.0.8-4.src.rpm alpha: ftp://updates.redhat.com/7.0/en/powertools/alpha/freeamp-2.0.8-4.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/powertools/i386/freeamp-2.0.8-4.i386.rpm Red Hat Powertools 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/powertools/SRPMS/amaya-4.0-4.src.rpm ftp://updates.redhat.com/7.1/en/powertools/SRPMS/qt-embedded-2.3.2-1.src.rpm alpha: ftp://updates.redhat.com/7.1/en/powertools/alpha/qt-embedded-2.3.2-1.alpha.rpm ftp://updates.redhat.com/7.1/en/powertools/alpha/qt-embedded-devel-2.3.2-1.alpha.rpm ftp://updates.redhat.com/7.1/en/powertools/alpha/qt-embedded-designer-2.3.2-1.alpha.rpm ftp://updates.redhat.com/7.1/en/powertools/alpha/qt-embedded-static-2.3.2-1.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/powertools/i386/amaya-4.0-4.i386.rpm ftp://updates.redhat.com/7.1/en/powertools/i386/qt-embedded-2.3.2-1.i386.rpm ftp://updates.redhat.com/7.1/en/powertools/i386/qt-embedded-devel-2.3.2-1.i386.rpm ftp://updates.redhat.com/7.1/en/powertools/i386/qt-embedded-designer-2.3.2-1.i386.rpm ftp://updates.redhat.com/7.1/en/powertools/i386/qt-embedded-static-2.3.2-1.i386.rpm 7. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 04a498e3a9122b133c7beb6bd61f7002 6.2/en/powertools/SRPMS/freeamp-2.0.8-3.62.src.rpm beb533f4769300842e9690573f8f5042 6.2/en/powertools/SRPMS/vnc-3.3.3-2.3.src.rpm 4ed9222dbb7efa7e91ec934007353123 6.2/en/powertools/alpha/freeamp-2.0.8-3.62.alpha.rpm d9b06f36f340b8cc1b1b0908f236aa92 6.2/en/powertools/alpha/vnc-3.3.3-2.3.alpha.rpm da6f8b0fdd725b70b3717642592ac57f 6.2/en/powertools/i386/freeamp-2.0.8-3.62.i386.rpm 45f7de3b77c693141214ea0858bdd758 6.2/en/powertools/i386/vnc-3.3.3-2.3.i386.rpm df7b617bd40a5bc7399def5a0b790d72 6.2/en/powertools/sparc/vnc-3.3.3-2.3.sparc.rpm 9728e294268313afb5d34635844bf325 7.0/en/powertools/SRPMS/freeamp-2.0.8-4.src.rpm 7980ec91d94bde4c38f26027d6a5c79e 7.0/en/powertools/alpha/freeamp-2.0.8-4.alpha.rpm 581445aca1ab654e9859631a2da1f25d 7.0/en/powertools/i386/freeamp-2.0.8-4.i386.rpm dcd4dac892444055519cbb5f4dbf3d25 7.1/en/powertools/SRPMS/amaya-4.0-4.src.rpm 452b8aad8b8782aee15e4bca9f32a47e 7.1/en/powertools/SRPMS/qt-embedded-2.3.2-1.src.rpm 3316b0c47c6d890271f7b88fe9d4b2ed 7.1/en/powertools/alpha/qt-embedded-2.3.2-1.alpha.rpm 481e6bab8b5882b0786170675521a2b3 7.1/en/powertools/alpha/qt-embedded-designer-2.3.2-1.alpha.rpm 10cf10058023b7908630910024a80020 7.1/en/powertools/alpha/qt-embedded-devel-2.3.2-1.alpha.rpm 7c41b1ed87341249f72054ad13b2b17a 7.1/en/powertools/alpha/qt-embedded-static-2.3.2-1.alpha.rpm 9d0d12d364e6e760db9465286ae9d0c8 7.1/en/powertools/i386/amaya-4.0-4.i386.rpm e6e968596f8df709c255fc26884aaeac 7.1/en/powertools/i386/qt-embedded-2.3.2-1.i386.rpm 732a30933fffb2fb807574e1614a8dfe 7.1/en/powertools/i386/qt-embedded-designer-2.3.2-1.i386.rpm d6debb26c81d7d3c84ad0257f8d7631b 7.1/en/powertools/i386/qt-embedded-devel-2.3.2-1.i386.rpm 14233bdde094d7ba2d2b4d63ea5f8e3f 7.1/en/powertools/i386/qt-embedded-static-2.3.2-1.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 8. References: The Common Vulnerabilities and Exposures project (cve.mitre.org/) has assigned the name CAN-2002-0059 to this issue. Red Hat would like to thank CERT/CC for their help in coordinating this issue with other vendors. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059 http://bugzilla.gnome.org/show_bug.cgi?id=70594 Copyright(c) 2000, 2001, 2002 Red Hat, Inc.