[Tuglist] [tex-live] zlib vulnerability: upgrade to 1.1.4

Radhakrishnan CV tuglist@tug.org.in
Tue, 12 Mar 2002 08:17:53 +0530 (IST) 

---------- Forwarded message ----------
Date: Mon, 11 Mar 2002 17:59:10 -0700 (MST)
From: Nelson H. F. Beebe <beebe@math.utah.edu>
To: CTAN maintainers <ctan@nova.dante.de>,
    tex-live@tug.org
Cc: beebe@math.utah.edu
Subject: [tex-live] zlib vulnerability: upgrade to 1.1.4

The attached security bulletin about a need to upgrade zlib to
version 1.1.4 is relevant to the gs-devel and gs-test lists, and
also to tex-archive, CTAN, and possibly, also tex-live folks, so I'm
reposting it to several lists [in separate messages.]

I've just completed building, testing, and installing the new zlib
on all local architectures at my site.

For those versions of gs built with shared libraries (the default on
most current UNIX architectures), no changes are needed, since the
reference to libz.so will automatically get the new version the next
time gs is run.

In the TeX-Live 6 CD, there are no executables in

	bin/alphaev5-osf4.0d
	bin/mips-irix6.5
	bin/sparc-solaris2.7

that refer to this library, according to ldd, but there might be in
the upcoming TeX-Live 7 CD.  This should be checked ASAP, for all
supported binary distributions.

There is a copy of the old, now outdated, zlib-1.1.3.gz and
zlib113.zip files in the CTAN archives in

	tex-archive/tools/zip/info-zip/zlib/

It should be replaced by the new files

	http://www.libpng.org/pub/png/src/zlib-1.1.4.tar.gz
	http://www.libpng.org/pub/png/src/zlib114.zip


  ---------------

Date: Mon, 11 Mar 2002 13:26:49 -0800
Message-Id: <200203112126.g2BLQniv026666@newbolt.sonic.net>
From: Greg Roelofs <newt@pobox.com>
To: info-zip@sonic.net, info-zip-announce@lists.wku.edu,
        mng-list@ccrc.wustl.edu, png-announce@ccrc.wustl.edu,
        png-implement@ccrc.wustl.edu, png-list@ccrc.wustl.edu
Subject: [mng-list] zlib vulnerability:  upgrade to 1.1.4
Cc: zip-bugs@lists.wku.edu
Sender: owner-mng-list@ccrc.wustl.edu
Precedence: bulk
Reply-To: mng-list@ccrc.wustl.edu

Folks,

The CERT release isn't yet out (as I write this), but news.com just
published an article (not entirely accurate), and as a consequence,
zlib.org has gone public as well:

	http://news.com.com/2102-1001-857008.html
	http://www.zlib.org/

Basically, there's a double-free bug in zlib, and a carefully
crafted (bogus) inflate stream could corrupt the host application's
memory management and conceivably execute arbitrary code.  There are
no known exploits for this so far, but there have been cases of
attacks being attempted.  Given the pervasiveness of zlib in
software, this should be considered a fairly serious vulnerability.

So grab zlib 1.1.4 and start compiling, eh?  Note that gzip and Zip
are not vulnerable, and only custom versions of UnZip (compiled with
USE_ZLIB) should be.

Oops, the CERT advisory just went out.  It doesn't seem to be on
their (very slow) web site yet, however.

-- 
Greg Roelofs            newt@pobox.com             http://pobox.com/~newt/
Newtware, PNG Group, Info-ZIP, AlphaWorld Map, Philips Semiconductors, ...

--
Send the message body "help" to mng-list-request@ccrc.wustl.edu

-------------------------------------------------------------------------------
- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- Center for Scientific Computing       FAX: +1 801 585 1640, +1 801 581 4148 -
- University of Utah                    Internet e-mail: beebe@math.utah.edu  -
- Department of Mathematics, 110 LCB        beebe@acm.org  beebe@computer.org -
- 155 S 1400 E RM 233                       beebe@ieee.org                    -
- Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe  -
-------------------------------------------------------------------------------