[tex-live] zlib vulnerability: upgrade to 1.1.4

Nelson H. F. Beebe beebe@math.utah.edu
Mon, 11 Mar 2002 17:59:10 -0700 (MST)


The attached security bulletin about a need to upgrade zlib to version
1.1.4 is relevant to the gs-devel and gs-test lists, and also to
tex-archive, CTAN, and possibly, also tex-live folks, so I'm reposting
it to several lists [in separate messages.]

I've just completed building, testing, and installing the new zlib on
all local architectures at my site.  

For those versions of gs built with shared libraries (the default on
most current UNIX architectures), no changes are needed, since the
reference to libz.so will automatically get the new version the next
time gs is run.

In the TeX-Live 6 CD, there are no executables in 

	bin/alphaev5-osf4.0d
	bin/mips-irix6.5
	bin/sparc-solaris2.7

that refer to this library, according to ldd, but there might be in
the upcoming TeX-Live 7 CD.  This should be checked ASAP, for all
supported binary distributions.

There is a copy of the old, now outdated, zlib-1.1.3.gz and
zlib113.zip files in the CTAN archives in

	tex-archive/tools/zip/info-zip/zlib/

It should be replaced by the new files

	http://www.libpng.org/pub/png/src/zlib-1.1.4.tar.gz
	http://www.libpng.org/pub/png/src/zlib114.zip


  ---------------

Date: Mon, 11 Mar 2002 13:26:49 -0800
Message-Id: <200203112126.g2BLQniv026666@newbolt.sonic.net>
From: Greg Roelofs <newt@pobox.com>
To: info-zip@sonic.net, info-zip-announce@lists.wku.edu,
        mng-list@ccrc.wustl.edu, png-announce@ccrc.wustl.edu,
        png-implement@ccrc.wustl.edu, png-list@ccrc.wustl.edu
Subject: [mng-list] zlib vulnerability:  upgrade to 1.1.4
Cc: zip-bugs@lists.wku.edu
Sender: owner-mng-list@ccrc.wustl.edu
Precedence: bulk
Reply-To: mng-list@ccrc.wustl.edu

Folks,

The CERT release isn't yet out (as I write this), but news.com just
published an article (not entirely accurate), and as a consequence,
zlib.org has gone public as well:

	http://news.com.com/2102-1001-857008.html
	http://www.zlib.org/

Basically, there's a double-free bug in zlib, and a carefully crafted
(bogus) inflate stream could corrupt the host application's memory
management and conceivably execute arbitrary code.  There are no known
exploits for this so far, but there have been cases of attacks being
attempted.  Given the pervasiveness of zlib in software, this should
be considered a fairly serious vulnerability.

So grab zlib 1.1.4 and start compiling, eh?  Note that gzip and Zip
are not vulnerable, and only custom versions of UnZip (compiled with
USE_ZLIB) should be.

Oops, the CERT advisory just went out.  It doesn't seem to be on their
(very slow) web site yet, however.

-- 
Greg Roelofs            newt@pobox.com             http://pobox.com/~newt/
Newtware, PNG Group, Info-ZIP, AlphaWorld Map, Philips Semiconductors, ...

--
Send the message body "help" to mng-list-request@ccrc.wustl.edu

-------------------------------------------------------------------------------
- Nelson H. F. Beebe                    Tel: +1 801 581 5254                  -
- Center for Scientific Computing       FAX: +1 801 585 1640, +1 801 581 4148 -
- University of Utah                    Internet e-mail: beebe@math.utah.edu  -
- Department of Mathematics, 110 LCB        beebe@acm.org  beebe@computer.org -
- 155 S 1400 E RM 233                       beebe@ieee.org                    -
- Salt Lake City, UT 84112-0090, USA    URL: http://www.math.utah.edu/~beebe  -
-------------------------------------------------------------------------------