I have finally successfully installed WWWOFFLE 2.7; when it loads it
proudly displays `with zlib, without ipv6).' .
I have just received a notification from RedHat that their zlib library
contains a bug that may have impplications for WWWOFFLE 2.7.
Attached are the opening paragraphs of the information - just in case
the problem needs attention and is news to anyone other than me.
Felix Karpfen
--
Felix Karpfen
[EMAIL PROTECTED]
Public Key 72FDF9DF (DH/DSA)
---------------------------------------------------------------------
Red Hat, Inc. Red Hat Security Advisory
Synopsis: Vulnerability in zlib library
Advisory ID: RHSA-2002:026-35
Issue date: 2002-02-11
Updated on: 2002-03-11
Product: Red Hat Linux
Keywords: zlib double free
Cross references: RHSA-2002:028 RHSA-2002:027
Obsoletes:
---------------------------------------------------------------------
1. Topic:
The zlib library provides in-memory compression/decompression
functions. The library is widely used throughout Linux and other operating
systems.
While performing tests on the gdk-pixbuf library, Matthias Clasen created
an invalid PNG image that caused libpng to crash. Upon further
investigation, this turned out to be a bug in zlib 1.1.3 where certain
types of input will cause zlib to free the same area of memory twice
(called a "double free").
This bug can be used to crash any program that takes untrusted
compressed input. Web browsers or email programs that
display image attachments or other programs that uncompress data are
particularly affected. This vulnerability makes it easy to perform various
denial-of-service attacks against such programs.
It is also possible that an attacker could manage a more significant
exploit, since the result of a double free is the corruption of the
malloc() implementation's data structures. This could include running
arbitrary code on local or remote systems.
Most packages in Red Hat Linux use the shared zlib library and can be
protected against vulnerability by updating to the errata zlib
package. However, we have identified a number of packages in Red Hat
Linux that either statically link to zlib or contain an internal
version of zlib code.
Although no exploits for this issue or these packages are currently
known to exist, this is a serious vulnerability which could be
locally or remotely exploited. All users should upgrade affected packages
immediately.
Additionally, if you have any programs that you have compiled yourself,
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. However, if any programs that
decompress arbitrary data statically link to zlib or use their own version
of the zlib code internally, then they need to be patched or
recompiled.
