100686 2005-07-29 03:44 0000 app-emulation/emul-linux-x86-baselibs-2.1.1 contains vulnerable version of zlib 2005-08-02 02:06:54 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified AMD64 Linux RESOLVED FIXED A1 [glsa] P2 critical --- 1 Storklerk@ariolc.dyndns.org security@gentoo.org amd64@gentoo.org Storklerk@ariolc.dyndns.org 2005-07-29 03:44:57 0000 app-emulation/emul-linux-x86-baselibs-2.1.1 contains a 32bit version of zlib. The tarball contains the file emul/linux/x86/lib/libz.so.1.2.2 , which according to GLSA-200507-19 is affected by a buffer overflow and potentially execution of arbitrary code. Reproducible: Always Steps to Reproduce: 1.emerge =app-emulation/emul-linux-x86-baselibs-2.1.1 Actual Results: This installs /emul/linux/x86/lib/libz.so.1.2.2 Expected Results: Installation of /emul/linux/x86/lib/libz.so.1.2.3 This is a CRITICAL flaw! If you want to use flash on amd64, you need to use a 32bit browser. Which will use a 32bit zlib. Which is right now a vulnerable version. koon@gentoo.org 2005-07-29 06:00:47 0000 AMD64 team, I guess you need to push a new baselibs package to fix this... blubb@gentoo.org 2005-07-29 06:42:39 0000 i'll provide an updated version asap blubb@gentoo.org 2005-07-29 08:15:55 0000 emul-linux-x86-baselibs-2.2.tar.bz2 is in /space/distfiles-local on toucan, in four hours i'll put the bumped ebuild into the tree blubb@gentoo.org 2005-07-29 12:19:22 0000 ebuild is in portage and marked stable on all arches (what a wonder) willie@froq.net 2005-07-30 10:18:43 0000 If I try to compile Wine now (manually, using gcc32/ no chroot), it fails when linking zlib - ld doesn't seem to recognize libz.so.1.2.3 ("ldconfig -v" lists it, the Flash plugin works - but ld fails)... After downgrading to baselibs-2.1.1, everything works again. gpiez@web.de 2005-07-30 11:28:57 0000 Version 2.2 doesn't have libgmodule-1.2.so.0 anymore. This is needed for configuring turboprint (commercial 32 bit printer driver for canon etc): cruncher ~ # xtpsetup xtpsetup: error while loading shared libraries: libgmodule-1.2.so.0: cannot open shared object file: No such file or directory After downgrading again, xtpsetup works again. blubb@gentoo.org 2005-07-30 11:35:45 0000 In reply to comment 5: Please open another bug for this, but try 2.2.2 first (not yet in portage, but will be commited in a few hours) In reply to comment 6: I'm aware of that, will be fixed with 2.2.2. You may want have a look at bug 100795 koon@gentoo.org 2005-07-30 12:42:12 0000 GLSA 200507-28 jaervosz@gentoo.org 2005-08-02 02:06:54 0000 [10:43:43] <blubb> the problem is: since my emul-linux-x86-baselibs-2.2 had lots of problems, Herbs created 2.1.2, which also fixes the hole and removed the broken 2.2, but the GLSA still says <2.2 is vulnerable GLSA updated