[ESA-20020311-008] Double free() in zlib may lead to buffer overflow.

From: EnGarde Secure Linux (securityat_private)
Date: Mon Mar 11 2002 - 09:41:04 PST

  • Next message: bugzillaat_private: "[RHSA-2002:027-22] Vulnerability in zlib library (powertools)" 

    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                  March 11, 2002 |
| http://www.engardelinux.org/                          ESA-20020311-008 |
|                                                                        |
| Packages: zlib, kernel, popt, rpm, rsync                               |
| Summary:  Double free() in zlib may lead to buffer overflow.           |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  The zlib shared library may attempt to free() a memory region more than
  once, potentially yielding a system exploitable by certain programs that
  use it for decompression.  Because certain packages include their own
  zlib implementation or statically link against the system zlib, several
  packages need to be updated to properly fix this bug.


DETAIL
- ------
  Matthias Clasen <maclasat_private> and Owen Taylor <otaylorat_private>
  discovered this bug while debugging a problem in the gdk-pixbuf
  library[1].  The vulnerability arises from an error where a segment
  of dynamically allocated memory may be "double free()'d", leading to
  corruption of malloc's internal data structures.

  This corruption leads to a buffer overflow in the zlib library which
  affects any program that links against it.  In order to properly fix
  this bug the zlib, kernel, rpm and rsync packages all needed to be
  updated.  Other security and bug-fix updates were included in the
  kernel and rsync packages.

  A summary of all included updates is included below:

    zlib (1.0.4)
    ------------
      * Fixed double free in infblock.c.

    kernel (1.0.27)
    ---------------
      * Fixed double free in drivers/net/zlib.c.
      * Fixed bug where users could kill system processes using lcall().

    popt / rpm (1.0.14)
    -------------------
      * Re-linked against updated zlib.

    rsync (1.0.6)
    -------------
      * Fixed double free in zlib/infblock.c.
      * Fixed some more signedness issues related to ESA-20020125-004.
      * Make rsync drop supplementary groups when changing UID's.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2002-0059 to this issue.

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059

  All users should upgrade immediately following the special SOLUTION.


SOLUTION
- --------
  Users of the EnGarde Professional edition can use the Guardian Digital
  Secure Network to update their systems automatically.

  EnGarde Community users should upgrade to the most recent version 
  as outlined in this advisory.  Updates may be obtained from:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/

  Please read and understand this entire section before you attempt to
  upgrade these packages.

  Initial Steps
  -------------
    1) Verify the machine is either:

       a) booted into a "standard" kernel; or
       b) LIDS is disabled (/sbin/lidsadm -S -- -LIDS_GLOBAL)

    2) Determine which kernels you currently have installed:

         # rpm -qa --qf "%{NAME}\n" | grep kernel

    3) Download the new kernels that match what you have installed
       (based on step 2) from the "UPDATED PACKAGES" section of this
       advisory.

    4) Download the rest of these updates (zlib, rpm, rsync).

  Installation Steps
  ------------------
    5) Install the new kernel packages.  The packages will automagically
       update /etc/lilo.conf by commenting out any old EnGarde images
       and replacing them with the new ones:

         # rpm --replacefiles -i <kernel 1> <kernel 2> ...

    6) Upgrade the rest of the packages:

         # rpm -Uvh popt*.rpm rpm*.rpm rsync*.rpm zlib*.rpm

    7) Re-run LILO.  If you see any errors then open /etc/lilo.conf in
       your favorite text editor and make the appropriate changes:

         #  /sbin/lilo


  Final Steps
  -----------
    8) If you did not see any LILO errors then your new kernel is now
       installed and your machine is ready to be rebooted:

         # reboot

       A reboot is required to properly complete this update.


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux Community
  Edition.

  Source Packages:

    SRPMS/kernel-2.2.19-1.0.27.src.rpm
      MD5 Sum: e7af4de890c24cf9d88a05fdf1d355c5

    SRPMS/rpm-3.0.6-1.0.14.src.rpm
      MD5 Sum: 6e202c6d02f0b76b9f212ae74c54c211

    SRPMS/rsync-2.4.6-1.0.6.src.rpm
      MD5 Sum: c31cd404485d7d7022ade4802c4b6f6a

    SRPMS/zlib-1.1.3-1.0.4.src.rpm
      MD5 Sum: fad84ed3b4e0a5845abc786b131cf5e4


  i386 Binary Packages:

    i386/kernel-2.2.19-1.0.27.i386.rpm
      MD5 Sum: d973f6a0b35d26f6be80744a2069af70

    i386/kernel-lids-mods-2.2.19-1.0.27.i386.rpm
      MD5 Sum: f80456e25b75dd05c15302e4f51c7091

    i386/kernel-smp-lids-mods-2.2.19-1.0.27.i386.rpm
      MD5 Sum: 99915dbb34d29d6111d6aa6595bfd932

    i386/kernel-smp-mods-2.2.19-1.0.27.i386.rpm
      MD5 Sum: cc3e0ae1208cfe1e4b5471ec6b8c5947

    i386/popt-1.5-1.0.14.i386.rpm
      MD5 Sum: 034d201a831a60bdb65561cd47179241

    i386/rpm-3.0.6-1.0.14.i386.rpm
      MD5 Sum: 2319064a6c566b5f7611bc0cb2ba8192

    i386/rsync-2.4.6-1.0.6.i386.rpm
      MD5 Sum: 8711acaf8861a69ff2f93e5c04be569a

    i386/zlib-1.1.3-1.0.4.i386.rpm
      MD5 Sum: 42afd482da0a6c845d221487ab274090


  i686 Binary Packages:

    i686/kernel-2.2.19-1.0.27.i686.rpm
      MD5 Sum: 41f7dea256382e8fe8c931ae7a8b316b

    i686/kernel-lids-mods-2.2.19-1.0.27.i686.rpm
      MD5 Sum: 02f25cc810bbcef6c9da64ae9421304d

    i686/kernel-smp-lids-mods-2.2.19-1.0.27.i686.rpm
      MD5 Sum: 3ce8fd883a2afb9bbca42623882ac42c

    i686/kernel-smp-mods-2.2.19-1.0.27.i686.rpm
      MD5 Sum: 719eefbc2e4fbff557cf61dd972e8273

    i686/popt-1.5-1.0.14.i686.rpm
      MD5 Sum: e97853c5d1285f6aaf891e59cf71abe1

    i686/rpm-3.0.6-1.0.14.i686.rpm
      MD5 Sum: be79daaa06b387164a862601077f5e03

    i686/rsync-2.4.6-1.0.6.i686.rpm
      MD5 Sum: ae64525c60870f7153c79ee80a022941

    i686/zlib-1.1.3-1.0.4.i686.rpm
      MD5 Sum: f5dec2b85b56dcfcb88bd8526d4ab6e2


REFERENCES
- ----------
  [1] http://bugzilla.gnome.org/show_bug.cgi?id=70594

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  Credit for the discovery/handling of this bug goes to:
    Mark J Cox <mjcat_private>
    Matthias Clasen <maclasat_private>
    Owen Taylor <otaylorat_private>

  zlib's Official Web Site:
    http://www.gzip.org/zlib

  Security Contact:    securityat_private
  EnGarde Advisories:  http://www.engardelinux.org/advisories.html

- --------------------------------------------------------------------------
$Id: ESA-20020311-008-zlib,v 1.7 2002/03/11 15:29:32 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryanat_private> 
Copyright 2002, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8jOw4HD5cqd57fu0RAqqOAJ93I7HP5YUF7VTlMaHYFs1F8zPtRQCdE8Dc
L+6tGjQH3C4S/APi2XFwv+A=
=QDjZ
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Mon Mar 11 2002 - 18:14:39 PST