Le Jeudi 25 Avril 2002 16:55, Frédéric LEMOIGNO a écrit : > Bonjour, > Ce n'est pas à proprement parlé un bug mais plutôt un trou de sécurité, > assez gros semble-t-il. C'est particulièrement gênant car cette librairie > est utilisée (et intégrée) dans beaucoup d'applications. Voir les archives > de linuxfr.org pour plus de détails . > Fred > > Le Jeudi 25 Avril 2002 16:44, vous avez écrit : > > bonjour > > j'ai vu dans un magazine qu'il y avait un bug dans une libraire de > > compression/décompression zlib utilisé par linux et mandrake > > qui sait ? > > merci > > nick
Voici une copie des messages passés sur la mailling liste sécurité et exploits de Mandrake : [exploits] (fwd) security problem fixed in zlib 1.1.4 De : "Vincent Danen" <[EMAIL PROTECTED]> À : [EMAIL PROTECTED] Date : Mon, 11 Mar 2002 21:14:13 -0700 Just as an FYI, our zlib will be announced in the morning (currently mirroring) and the zlib-related packages will be announced in a seperate announcement later tomorrow with package updates showing up later in the day. This was done so that the zlib packages would get mirrored prior to the others so that at the very least people can update zlib from their favourite mirror quickly. ----- Forwarded message from Jean-loup Gailly <[EMAIL PROTECTED]> ----- From: Jean-loup Gailly <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: security problem fixed in zlib 1.1.4 Date: Mon, 11 Mar 2002 22:00:21 +0100 X-Mailer: VM 6.89 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: Jean-loup Gailly <[EMAIL PROTECTED]> Le message a été signé par ID de clef inconnu 019671A7 Zlib Advisory 2002-03-11 zlib Compression Library Corrupts malloc Data Structures via Double Free Original release date: March 11, 2002 Last revised: March 11, 2002 Source: This advisory is based on a CERT advisory written by Jeffrey P. Lanza. See original on http://www.cert.org Systems Affected * Any software that is linked against zlib 1.1.3 or earlier * Any data compression library derived from zlib 1.1.3 or earlier Overview There is a vulnerability in the zlib shared library that may introduce vulnerabilities into any program that includes zlib. This vulnerability has been assigned a CVE candidate name of CAN-2002-0059 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059 I. Description There is a vulnerability in the decompression algorithm used by the popular zlib compression library. If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data can cause the zlib routines to corrupt the internal data structures maintained by malloc. The vulnerability results from a programming error that causes segments of dynamically allocated memory to be released more than once (aka. "double-freed"). Specifically, when inftrees.c:huft_build() encounters the crafted data, it returns an unexpected Z_MEM_ERROR to inftrees.c:inflate_trees_dynamic(). When a subsequent call is made to infblock.c:inflate_blocks(), the inflate_blocks function tries to free an internal data structure a second time. Because this vulnerability interferes with the proper allocation and de-allocation of dynamic memory, it may be possible for an attacker to influence the operation of programs that include zlib. In most circumstances, this influence will be limited to denial of service or information leakage, but it is theoretically possible for an attacker to insert arbitrary code into a running program. This code would be executed with the permissions of the vulnerable program. II. Impact This vulnerability may introduce vulnerabilities into any program that includes the affected library. Depending upon how and where the zlib routines are called from the given program, the resulting vulnerability may have one or more of the following impacts: denial of service, information leakage, or execution of arbitrary code. III. Solution Upgrade your version of zlib The maintainers of zlib have released version 1.1.4 to address this vulnerability. Any software that is linked against or derived from an earlier version of zlib should be upgraded immediately. The latest version of zlib is available at http://www.zlib.org The md5 sums of the source archives are: abc405d0bdd3ee22782d7aa20e440f08 zlib-1.1.4.tar.gz ea16358be41384870acbdc372f9db152 zlib-1.1.4.tar.bz2 IV. Acknowledgments Thanks to Owen Taylor and other people at Redhat Inc. for the reporting and research of this vulnerability. This document is available from http://www.gzip.org/zlib/advisory-2002-03-11.txt The public PGP key of zlib author Jean-loup Gailly is available from http://www.gzip.org/zlib/jloup.asc Fin du message PGP ----- End forwarded message ----- -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 8 hours 52 minutes. MDKSA-2002:022 - zlib update De : Mandrake Linux Security Team <[EMAIL PROTECTED]> À : [EMAIL PROTECTED] Date : 12 Mar 2002 17:04:28 -0000 Le message a été signé par ID de clef inconnu 22458A98 ________________________________________________________________________ Mandrake Linux Security Update Advisory ________________________________________________________________________ Package name: zlib Advisory ID: MDKSA-2002:022 Date: March 12th, 2002 Affected versions: 7.1, 7.2, 8.0, 8.1, Corporate Server 1.0.1, Single Network Firewall 7.2 ________________________________________________________________________ Problem Description: Matthias Clasen found a security issue in zlib that, when provided with certain input, causes zlib to free an area of memory twice. This "double free" bug can be used to crash any programs that take untrusted compressed input, such as web browsers, email clients, image viewing software, etc. This vulnerability can be used to perform Denial of Service attacks and, quite possibly, the execution of arbitrary code on the affected system. MandrakeSoft has published two advisories concerning this incident: MDKSA-2002:022 - zlib MDKSA-2002:023 - packages containing zlib The second advisory contains additional packages that bring their own copies of the zlib source, and as such need to be fixed and rebuilt. Updating the zlib library is sufficient to protect those programs that use the system zlib, but the packages as noted in MDKSA-2002:023 will need to be updated for those packages that do not use the system zlib. ________________________________________________________________________ References: http://www.kb.cert.org/vuls/id/368819 ________________________________________________________________________ Updated Packages: Linux-Mandrake 7.1: 7921c049e634ae5bde97e963aa47d22b 7.1/RPMS/zlib-1.1.3-11.1mdk.i586.rpm 5146bc0863db8692475887884d4ee66a 7.1/RPMS/zlib-devel-1.1.3-11.1mdk.i586.rpm 2e24e2958c0663378635ede5f8ca4d83 7.1/SRPMS/zlib-1.1.3-11.1mdk.src.rpm Linux-Mandrake 7.2: e23855800a5f9933217e6c94f2c93069 7.2/RPMS/zlib-1.1.3-11.1mdk.i586.rpm f39c0455f8d0ae276cb5417dcfb3aa00 7.2/RPMS/zlib-devel-1.1.3-11.1mdk.i586.rpm 2e24e2958c0663378635ede5f8ca4d83 7.2/SRPMS/zlib-1.1.3-11.1mdk.src.rpm Mandrake Linux 8.0: 58775896267f0454e554578c732e685c 8.0/RPMS/zlib1-1.1.3-16.1mdk.i586.rpm 8917338feb592dad773cb6b3feac0d91 8.0/RPMS/zlib1-devel-1.1.3-16.1mdk.i586.rpm 582b5dd80b2ff9f24ed274fbc82c5c19 8.0/SRPMS/zlib-1.1.3-16.1mdk.src.rpm Mandrake Linux 8.0/ppc: 939ed423af6fc514e4bde2dfc519ea13 ppc/8.0/RPMS/zlib1-1.1.3-16.1mdk.ppc.rpm f8efcbf6e55e2774fbd98b67ffe9838f ppc/8.0/RPMS/zlib1-devel-1.1.3-16.1mdk.ppc.rpm 582b5dd80b2ff9f24ed274fbc82c5c19 ppc/8.0/SRPMS/zlib-1.1.3-16.1mdk.src.rpm Mandrake Linux 8.1: 6dca9c0ff7dac9759d735150139182da 8.1/RPMS/zlib1-1.1.3-16.1mdk.i586.rpm 320d06d5f1acc841965ad6c16db396cf 8.1/RPMS/zlib1-devel-1.1.3-16.1mdk.i586.rpm 582b5dd80b2ff9f24ed274fbc82c5c19 8.1/SRPMS/zlib-1.1.3-16.1mdk.src.rpm Mandrake Linux 8.1/ia64: c25baf28293b0619fad97c863e953103 ia64/8.1/RPMS/zlib1-1.1.3-16.1mdk.ia64.rpm 10000858776526410b0d3526f1157909 ia64/8.1/RPMS/zlib1-devel-1.1.3-16.1mdk.ia64.rpm 582b5dd80b2ff9f24ed274fbc82c5c19 ia64/8.1/SRPMS/zlib-1.1.3-16.1mdk.src.rpm Corporate Server 1.0.1: 7921c049e634ae5bde97e963aa47d22b 1.0.1/RPMS/zlib-1.1.3-11.1mdk.i586.rpm 5146bc0863db8692475887884d4ee66a 1.0.1/RPMS/zlib-devel-1.1.3-11.1mdk.i586.rpm 2e24e2958c0663378635ede5f8ca4d83 1.0.1/SRPMS/zlib-1.1.3-11.1mdk.src.rpm Single Network Firewall 7.2: e23855800a5f9933217e6c94f2c93069 snf7.2/RPMS/zlib-1.1.3-11.1mdk.i586.rpm f39c0455f8d0ae276cb5417dcfb3aa00 snf7.2/RPMS/zlib-devel-1.1.3-11.1mdk.i586.rpm 2e24e2958c0663378635ede5f8ca4d83 snf7.2/SRPMS/zlib-1.1.3-11.1mdk.src.rpm ________________________________________________________________________ Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ________________________________________________________________________ To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you. If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from: http://www.mandrakesecure.net/en/ftp.php Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command: rpm --checksig <filename> All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from: https://www.mandrakesecure.net/RPM-GPG-KEYS Please be aware that sometimes it takes the mirrors a few hours to update. You can view other update advisories for Mandrake Linux at: http://www.mandrakesecure.net/en/advisories/ MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting: http://www.mandrakesecure.net/en/mlist.php If you want to report vulnerabilities, please contact [EMAIL PROTECTED] ________________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <[EMAIL PROTECTED]> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPa5AQ0EOWnn 7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77 9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s +A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl 3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX lA== =0ahQ -----END PGP PUBLIC KEY BLOCK----- Fin du message PGP Bonne lecture Je vous l'avais dit c'est long ! -- La theorie, c'est quand on comprend tout mais que rien ne marche. La pratique, c'est quand ca marche sans qu'on ne sache pourquoi. Les ingenieurs rassemblent les deux: rien ne marche et ils ne savent pas pourquoi. ULg Christophe Josselin
Vous souhaitez acquerir votre Pack ou des Services MandrakeSoft? Rendez-vous sur "http://www.mandrakestore.com"