Home > Security > Advisories

Advisories

Mandriva Advisories

Package name zlib
Date March 12th, 2002
Advisory ID MDKSA-2002:022
Affected versions 7.1, 7.2, 8.0, 8.1, CS1.0
Synopsis Updated zlib packages fix double free vulnerability

Problem Description

Matthias Clasen found a security issue in zlib that, when provided with
certain input, causes zlib to free an area of memory twice. This
"double free" bug can be used to crash any programs that take untrusted
compressed input, such as web browsers, email clients, image viewing
software, etc. This vulnerability can be used to perform Denial of
Service attacks and, quite possibly, the execution of arbitrary code on
the affected system.

MandrakeSoft has published two advisories concerning this incident:

MDKSA-2002:022 - zlib
MDKSA-2002:023 - packages containing zlib

The second advisory contains additional packages that bring their own
copies of the zlib source, and as such need to be fixed and rebuilt.
Updating the zlib library is sufficient to protect those programs that
use the system zlib, but the packages as noted in MDKSA-2002:023 will
need to be updated for those packages that do not use the system zlib.

Updated Packages

Mandrakelinux 7.1

 7921c049e634ae5bde97e963aa47d22b  7.1/RPMS/zlib-1.1.3-11.1mdk.i586.rpm
5146bc0863db8692475887884d4ee66a  7.1/RPMS/zlib-devel-1.1.3-11.1mdk.i586.rpm
2e24e2958c0663378635ede5f8ca4d83  7.1/SRPMS/zlib-1.1.3-11.1mdk.src.rpm

Mandrakelinux 7.2

 e23855800a5f9933217e6c94f2c93069  7.2/RPMS/zlib-1.1.3-11.1mdk.i586.rpm
f39c0455f8d0ae276cb5417dcfb3aa00  7.2/RPMS/zlib-devel-1.1.3-11.1mdk.i586.rpm
2e24e2958c0663378635ede5f8ca4d83  7.2/SRPMS/zlib-1.1.3-11.1mdk.src.rpm

Mandrakelinux 8.0

 58775896267f0454e554578c732e685c  8.0/RPMS/zlib1-1.1.3-16.1mdk.i586.rpm
8917338feb592dad773cb6b3feac0d91  8.0/RPMS/zlib1-devel-1.1.3-16.1mdk.i586.rpm
582b5dd80b2ff9f24ed274fbc82c5c19  8.0/SRPMS/zlib-1.1.3-16.1mdk.src.rpm

Mandrakelinux 8.0/PPC

 939ed423af6fc514e4bde2dfc519ea13  ppc/8.0/RPMS/zlib1-1.1.3-16.1mdk.ppc.rpm
f8efcbf6e55e2774fbd98b67ffe9838f  ppc/8.0/RPMS/zlib1-devel-1.1.3-16.1mdk.ppc.rpm
582b5dd80b2ff9f24ed274fbc82c5c19  ppc/8.0/SRPMS/zlib-1.1.3-16.1mdk.src.rpm

Mandrakelinux 8.1

 6dca9c0ff7dac9759d735150139182da  8.1/RPMS/zlib1-1.1.3-16.1mdk.i586.rpm
320d06d5f1acc841965ad6c16db396cf  8.1/RPMS/zlib1-devel-1.1.3-16.1mdk.i586.rpm
582b5dd80b2ff9f24ed274fbc82c5c19  8.1/SRPMS/zlib-1.1.3-16.1mdk.src.rpm

Mandrakelinux 8.1/IA64

 c25baf28293b0619fad97c863e953103  ia64/8.1/RPMS/zlib1-1.1.3-16.1mdk.ia64.rpm
10000858776526410b0d3526f1157909  ia64/8.1/RPMS/zlib1-devel-1.1.3-16.1mdk.ia64.rpm
582b5dd80b2ff9f24ed274fbc82c5c19  ia64/8.1/SRPMS/zlib-1.1.3-16.1mdk.src.rpm

Corporate Server 1.0.1

 7921c049e634ae5bde97e963aa47d22b  1.0.1/RPMS/zlib-1.1.3-11.1mdk.i586.rpm
5146bc0863db8692475887884d4ee66a  1.0.1/RPMS/zlib-devel-1.1.3-11.1mdk.i586.rpm
2e24e2958c0663378635ede5f8ca4d83  1.0.1/SRPMS/zlib-1.1.3-11.1mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059
http://www.kb.cert.org/vuls/id/368819

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm
                

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.