RHN Errata Alert: Vulnerability in zlib library

RHN Errata Alert: Vulnerability in zlib library

Security Advisory - RHSA-2002:026-49

Complete information about this errata can be found at the following location:
https://rhn.redhat.com/network/errata/errata_details.pxt?eid=1050

RHN Errata Alert: Vulnerability in zlib library

Summary:
Vulnerability in zlib library

[Update 20 Mar 2002:
Added kernel packages for Red Hat Linux 6.2 on sparc64. Updated VNC packages as the previous fix caused another denial of service vulnerability; thanks to Const Kaplinsky for reporting this]

[Update 14 Mar 2002:
Updated kernel packages for Red Hat Linux 6.2 and 7.0 which were missing
the zlib fix; added missing kernel-headers package for 6.2.]

The zlib library provides in-memory compression/decompression
functions. The library is widely used throughout Linux and other
operating
systems.

While performing tests on the gdk-pixbuf library, Matthias Clasen created
an invalid PNG image that caused libpng to crash. Upon further
investigation, this turned out to be a bug in zlib 1.1.3 where certain
types of input will cause zlib to free the same area of memory twice
(called a "double free").

This bug can be used to crash any program that takes untrusted
compressed input. Web browsers or email programs that
display image attachments or other programs that uncompress data are
particularly affected. This vulnerability makes it easy to perform
various
denial-of-service attacks against such programs.

It is also possible that an attacker could manage a more significant
exploit, since the result of a double free is the corruption of the
malloc() implementation's data structures. This could include running
arbitrary code on local or remote systems.

Most packages in Red Hat Linux use the shared zlib library and can be
protected against vulnerability by updating to the errata zlib
package. However, we have identified a number of packages in Red Hat
Linux that either statically link to zlib or contain an internal
version of zlib code.

Although no exploits for this issue or these packages are currently
known to exist, this is a serious vulnerability which could be
locally or remotely exploited. All users should upgrade affected packages
immediately.

Additionally, if you have any programs that you have compiled yourself,
you should check to see if they use zlib. If they link to the shared
zlib library then they will not be vulnerable once the shared zlib
library is updated to the errata package. However, if any programs that
decompress arbitrary data statically link to zlib or use their own
version
of the zlib code internally, then they need to be patched or
recompiled.

Description:
The following details apply to the main Red Hat Linux distribution only. Please see advisory RHSA-2002:027 for Powertools packages.

cvs: cvs is a version control system. The cvs package has been rebuilt to link against the shared system zlib instead of the internal version.

Additionally, cvs has been updated to version 1.11.1p1 for Red Hat Linux 6.2, 7.0 and 7.1 which also corrects a possible security vulnerability due to an improperly initialized global variable. (CAN-2002-0092)

dump: The dump package contains programs for backing up and restoring filesystems. It links statically to zlib and has been rebuilt against the errata zlib package. Red Hat Linux 7, 7.1, and 7.2 packages have also been upgraded to dump-0.4b25, which includes many non-security fixes.

gcc3: The gcc3 package contains the GNU Compiler Collection version 3.0. It has been updated to version 3.0.4 and patched to link against the system zlib instead of the internal version.

libgcj: The libgcj package includes the Java runtime library, which is needed to run Java programs compiled using the gcc Java compiler (gcj). libgcj has been patched to use the shared system zlib.

kernel: The Linux kernel internally contains several variants of zlib
code. However, ppp compression is the only implementation that is used with untrusted data streams. This issue has been patched. New kernel errata packages are included for Red Hat Linux 6.2 and 7.

Users of Red Hat Linux 7.1, or 7.2 should update to the currently released kernel errata RHSA-2002-028 (2.4.9-31) which already contains this fix.

Netscape Navigator: Users are advised to obtain an update from Netscape.

rsync: rsync is a program for synchronizing files over a network. rsync uses a modified version of zlib internally. These errata packages patch this internal version of zlib.

The rsync update package also fixes another security issue where rsync did not call setgroups() before dropping the privileges of the connecting user. Hence, it is possible for users to retain the group IDs of any supplemental groups that rsync was started in (for example, supplementary groups of the root user), allowing users to access files they may not otherwise be able to access. Thanks to Martin Pool and Andrew Tridgell for alerting us to this issue. CAN-2002-0080.

VNC: VNC is a remote display system in Powertools 6.2. VNC has been patched to use the system zlib library.

In addition, there is a small HTTP server implementation in the VNC server which can be made to wait indefinitely for input, thereby freezing an active VNC session. The VNC packages recommended by this advisory have been patched to fix this issue. Users of VNC should be aware that the program is designed for use on a trusted network.

zlib: The zlib library has been updated with a patch to fix the aforementioned vulnerability.

References:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0059 to the zlib issue. Red Hat would like to thank CERT/CC for their help in coordinating this issue with other vendors

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0080
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0092
http://bugzilla.gnome.org/show_bug.cgi?id=70594
------------------------------------------------------------------------------

-------------
Taking Action
-------------
You may address the issues outlined in this advisory in two ways:

- select your server name by clicking on its name from the list
available at the following location, and then schedule an
errata update for it:
https://rhn.redhat.com/network/systemlist/system_list.pxt

- run the Update Agent on each affected server.

---------------------------------
Changing Notification Preferences
---------------------------------
To enable/disable your Errata Alert preferences globally please log in to RHN and navigate from "Your RHN" / "Your Account" to the "Preferences" tab.

URL: https://rhn.redhat.com/network/my_account/my_prefs.pxt

You can also enable/disable notification on a per system basis by selecting an individual system from the "Systems List". From the individual system view click the "Details" tab.