zlib 1.1.4 was checked into portage which fixes this issue for applications that dynamically link against zlib (a package.mask entry should be used to block all older versions in a day or two) The following applications are mentioned in the redhat advisory because they either statically link against zlib or include their own version. They should either be made to use the linked library version (if possible) or check to see if the upstream has released an updated version: - kernel (status unknown) - cvs - rsync - dump, rmt - vnc - binutils - gcc v3 - libstdc++ v3 Possibly affected: - mozilla (seems to have its own libzlib.la in /usr/lib/mozilla) - freeamp - amaya - qt-embedded (do we even have this?) Commerical applications that are most likely affected but we can do nothing about: - netscape 4.x - acroread
I compiled a list of binaries on my machine that may have zlib statically linked. My list is much the same here, but I figured the script might be a little bit helpful to gentoo developers. find / -type f -perm 755 | xargs egrep "inflate.*Copyright" Several other patterns could probably be used as well. strings /usr/lib/libz.a should help in finding other culprits. Hope that helps.
Also the hole the binary cd has to be redone. Becuase lotsa binarys on the cd will be affected too
ok new mozilla is out 0.9.9 * Mozilla's zlib library contins the fix for the zlib vulnerability. Note that some builds such as the Red Hat RPMs use the sytem zlib library and you will need to update this library separately. See the Red Hat Linux Errata Advisory. Working on ebuild
*** This bug has been marked as a duplicate of 892 ***
This has nothing to do with aspell... assuming bug closing was a mistake
The following packages contain their own zlib code and were either updated to fix the double free in zlib or were patched to use the system zlib instead: rrdtool: comes with it's own zlib source; patched to fix. gcc3.0: patched to use system zlib. gcc-2.96: patched to use system zlib. mirrordir: comes with it's own zlib source; patched to fix. vnc: patched to use system zlib. ppp: comes with it's own zlib source; patched to fix. chromium: patched to use system zlib. HDF: comes with it's own zlib source; patched to fix. XFree86: patched to use system zlib. kernel: comes with it's own zlib source; updates for both the 2.2 and 2.4 kernels are forthcoming due to some other problems that are currently being worked on. rsync: comes with it's own zlib source; updates will be available shortly as we are currently testing 2.5.3. netscape: new binary packages should be available from Netscape soon, and due to it's closed source nature no fix is available yet.
rsync-2.5.4 has fixes for it. It can be found at: http://rsync.samba.org/ftp/rsync/rsync-2.5.4.tar.gz. According to their changelog: rsync 2.5.4 (13 March 2002) "Imitation lizard skin" BUG FIXES: * Additional fix for zlib double-free bug. (Martin Pool, Andrew Tridgell) (CVE CAN-2002-0059) ENHANCEMENTS: * Merge in changes from zlib 1.1.3 to zlib 1.1.4. (Jos Backus) (Note that rsync still uses a custom version of zlib; you can not just link against a system library. See zlib/README.rsync)
net-analyzer/rrdtool should be updated too 1.0.34 hangeLog for RRDtool 1.0.x --------------------------- - bugfix, + enhancement, * contrib, = RELEASE --------------------------------------------- = 1.0.34 2001/03/12 -- Tobi - 2002/02/12 -- Tobi * replaced zlib 1.1.3 with 1.1.4
this is the patch too let vnc use the systems zlib. net-misc/vnc/vnc-3.3.3-r2.ebuild patch: --- vnc_unixsrc/vncviewer/Imakefile.fred Tue Feb 12 16:51:38 2002 +++ vnc_unixsrc/vncviewer/Imakefile Tue Feb 12 16:55:48 2002 @@ -15,8 +15,8 @@ INCLUDES = -I../include -I. -I/usr/include VNCAUTH_LIB = ../libvncauth/libvncauth.a -ZLIB_LIB = /usr/lib/libz.a -JPEG_LIB = /usr/lib/libjpeg.a +ZLIB_LIB = -lz +JPEG_LIB = -ljpeg DEPLIBS = XawClientDepLibs $(VNCAUTH_LIB) $(ZLIB_LIB) $(JPEG_LIB) LOCAL_LIBRARIES = XawClientLibs $(VNCAUTH_LIB) $(ZLIB_LIB) $(JPEG_LIB)
Fix for ppp net-dialup/ppp/ppp-2.4.1-r6.ebuild ppp: comes with it's own zlib source; patched to fix. patch: http://www.clan-tva.com/m0rpheus/ppp-2.4.1-zfree.patch
From the redhat SRPM for gcc-3.0.4-20020221, we have this patch: --- fastjar/configure.in.jj Fri Dec 15 19:45:09 2000 +++ fastjar/configure.in Thu Feb 21 23:26:05 2002 @@ -38,9 +38,12 @@ dnl Check byte order AC_C_BIGENDIAN dnl Brain dead check for tree's zlib -ZDEPS='$(top_builddir)/../zlib/libz.a' -ZLIBS="$ZDEPS -L\$(here)/../zlib/$libsubdir" -ZINCS='-I$(top_srcdir)/../zlib' +#ZDEPS='$(top_builddir)/../zlib/libz.a' +#ZLIBS="$ZDEPS -L\$(here)/../zlib/$libsubdir" +#ZINCS='-I$(top_srcdir)/../zlib' +ZDEPS= +ZLIBS=-lz +ZINCS= AC_SUBST(ZLIBS) AC_SUBST(ZDEPS) AC_SUBST(ZINCS) --- fastjar/configure.jj Sun Jan 7 12:33:20 2001 +++ fastjar/configure Thu Feb 21 23:26:45 2002 @@ -1963,9 +1963,12 @@ EOF fi -ZDEPS='$(top_builddir)/../zlib/libz.a' -ZLIBS="$ZDEPS -L\$(here)/../zlib/$libsubdir" -ZINCS='-I$(top_srcdir)/../zlib' +#ZDEPS='$(top_builddir)/../zlib/libz.a' +#ZLIBS="$ZDEPS -L\$(here)/../zlib/$libsubdir" +#ZINCS='-I$(top_srcdir)/../zlib' +ZDEPS= +ZLIBS=-lz +ZINCS=
So far the only kernel fix I can find is for 2.2.19, but that is not relevant to Gentoo, is it?
OK, XFree86's patch can be found: ftp://ftp.xfree86.org/pub/XFree86/4.2.0/fixes/4.2.0-zlib-security.patch From the ERRATA document at xfree86.org. 3. Potential vulnerability in zlib. A recently released CERT vulnerability notice (VU#368819) describes a potential vulnerability in some versions of zlib. XFree86 4.2.0 includes zlib 1.0.8, and uses it on some platforms. A source patch to correct this is available in the fixes subdirectory (4.2.0-zlib-security.patch). It is also included in the xf-4_2-branch branch of the XFree86 CVS repository. According to the CERT report, though: XFree86 versions 4.0 through 4.2.0 include zlib version 1.0.8. XFree86 3.x includes zlib version 1.0.4. The zlib code included with XFree86 is only used on some platforms. This is determined by the setting of HasZlib in the imake config files in the xc/config/cf source directory. If HasZlib is set to YES in the platform's vendor.cf file(s), then the system-provided zlib is used instead of the XFree86-provided versi Perhaps that should be a consideration for future X builds, if it is not already?
The vnc patch appears to be pure BS :( The fields it trys to change to not exist either before or after xmkmf and imake are run. And the copy of zlib is under Xvnc, not vncviewer.
rsync 2.5.4 was added to portage and masked out. Someone please test with chiba and unmask... I am rather alarmed that rsync and cvs were not fixed already... I've helped with a few of the zlib fixes but the fact much of them still exist alarms me and looks bad. I will be going on spring break for a week and when I get back I'm going to file individual bug reports for every package still affected and start getting very vocal about it ;)
cvs 1.11.1p1 is in cvs and masked out. It uses redhat's patch to dynamically link against the system libz. I noticed the new upstream package stores the contrib scripts in /usr/share/cvs instead of /usr/lib/cvs... is this a problem? I'll be gone/very sparatic for a week so I don't feel safe committing this stuff in unmasked and not being around to see the fallout :) If it works for you, unmask it :)
if you could, please do so *before* spring break :)
This is just a hack from the script that is posted in bug #1184 from Sorcerer. I did coz I was amnesiac and wanted to test it. I get a nice list of packages. I think it would be easy enough to actually emerge each one on that list too. Dunno if this should be a post install thingy tacked onto zlib, like SGL did, or not. Anyway, just thought you might be interested in this, just cause it might save some time. Dunno, though. Seemant --- #!/bin/sh # # this script finds the static libraries and executables in # $TRACKED subdirectories, in order to list and re-compile # the spells created those. # # This way, we will get rid of buggy static compiles. # # 20020313, kongar ############################ # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # $Id: find_zlib_static,v 1.5 2002/03/13 10:00:26 kongar Exp $ ############################ ##### end sanity checks TMPFILE=/tmp/zlibfind.`uuidgen` FOUND=/tmp/zlibfound.`uuidgen` LIB_LIST=`find /usr/lib \ ! -regex '.*/doc/.*' ! -regex '.*/man/.*' ! -regex '.*/include/.*' \ ! -regex '.*/src/.*' ! -regex '.*/share/.*' ! -regex '.*/fonts/.*' \ ! -regex '.*/info/.*' ! -regex '.*/perl5/.*' ! -regex '.*/site-packages/ .*' \ ! -regex '.*\.so.*' \ -exec file {} \; \ | egrep "current ar archive|statically linked" \ | cut -d ":" -f 1-1` AFFECTED=`nm --print-file-name $LIB_LIST | egrep "deflate|inflate" | cut -d ":" -f 1-1 ` for TARGET in $AFFECTED; do echo $TARGET >> $TMPFILE; done #cat $TMPFILE | sort | grep -v libz | uniq SORTED=`cat $TMPFILE | sort | grep -v libz | uniq` for SPELL in $SORTED; do qpkg -f ${SPELL} >> $FOUND done cat $FOUND | sort | uniq
i thinked we tacled them all
