[Update 20 Mar 2002: Added kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC packages as the previous fix caused another denial of service vulnerability; thanks to Const Kaplinsky for reporting this] [Update 14 Mar 2002: Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing the zlib fix; added missing kernel-headers package for 6.2.] The zlib library provides in-memory compression/decompression functions. The library is widely used throughout Linux and other operating systems. While performing tests on the gdk-pixbuf library, Matthias Clasen created an invalid PNG image that caused libpng to crash. Upon further investigation, this turned out to be a bug in zlib 1.1.3 where certain types of input will cause zlib to free the same area of memory twice (called a "double free"). This bug can be used to crash any program that takes untrusted compressed input. Web browsers or email programs that display image attachments or other programs that uncompress data are particularly affected. This vulnerability makes it easy to perform various denial-of-service attacks against such programs. It is also possible that an attacker could manage a more significant exploit, since the result of a double free is the corruption of the malloc() implementation's data structures. This could include running arbitrary code on local or remote systems. Most packages in Red Hat Linux use the shared zlib library and can be protected against vulnerability by updating to the errata zlib package. However, we have identified a number of packages in Red Hat Linux that either statically link to zlib or contain an internal version of zlib code. Although no exploits for this issue or these packages are currently known to exist, this is a serious vulnerability which could be locally or remotely exploited. All users should upgrade affected packages immediately. Additionally, if you have any programs that you have compiled yourself, you should check to see if they use zlib. If they link to the shared zlib library then they will not be vulnerable once the shared zlib library is updated to the errata package. However, if any programs that decompress arbitrary data statically link to zlib or use their own version of the zlib code internally, then they need to be patched or recompiled.
The following details apply to the main Red Hat Linux distribution only. Please see advisory RHSA-2002:027 for Powertools packages. cvs: cvs is a version control system. The cvs package has been rebuilt to link against the shared system zlib instead of the internal version. Additionally, cvs has been updated to version 1.11.1p1 for Red Hat Linux 6.2, 7.0 and 7.1 which also corrects a possible security vulnerability due to an improperly initialized global variable. (CAN-2002-0092) dump: The dump package contains programs for backing up and restoring filesystems. It links statically to zlib and has been rebuilt against the errata zlib package. Red Hat Linux 7, 7.1, and 7.2 packages have also been upgraded to dump-0.4b25, which includes many non-security fixes. gcc3: The gcc3 package contains the GNU Compiler Collection version 3.0. It has been updated to version 3.0.4 and patched to link against the system zlib instead of the internal version. libgcj: The libgcj package includes the Java runtime library, which is needed to run Java programs compiled using the gcc Java compiler (gcj). libgcj has been patched to use the shared system zlib. kernel: The Linux kernel internally contains several variants of zlib code. However, ppp compression is the only implementation that is used with untrusted data streams. This issue has been patched. New kernel errata packages are included for Red Hat Linux 6.2 and 7. Users of Red Hat Linux 7.1, or 7.2 should update to the currently released kernel errata RHSA-2002-028 (2.4.9-31) which already contains this fix. Netscape Navigator: Users are advised to obtain an update from Netscape. rsync: rsync is a program for synchronizing files over a network. rsync uses a modified version of zlib internally. These errata packages patch this internal version of zlib. The rsync update package also fixes another security issue where rsync did not call setgroups() before dropping the privileges of the connecting user. Hence, it is possible for users to retain the group IDs of any supplemental groups that rsync was started in (for example, supplementary groups of the root user), allowing users to access files they may not otherwise be able to access. Thanks to Martin Pool and Andrew Tridgell for alerting us to this issue. CAN-2002-0080. VNC: VNC is a remote display system in Powertools 6.2. VNC has been patched to use the system zlib library. In addition, there is a small HTTP server implementation in the VNC server which can be made to wait indefinitely for input, thereby freezing an active VNC session. The VNC packages recommended by this advisory have been patched to fix this issue. Users of VNC should be aware that the program is designed for use on a trusted network. zlib: The zlib library has been updated with a patch to fix the aforementioned vulnerability.