Bug 61125 - rpm statically linked with buggy zlib
Summary: rpm statically linked with buggy zlib
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rpm   
(Show other bugs)
Version: 7.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2002-03-13 22:12 UTC by Chris Ricker
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-03-19 10:33:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Chris Ricker 2002-03-13 22:12:56 UTC
As was recently noted on bugtraq, the recent zlib update of RH seems to have
missed rpm, which is statically linked with an old implementation:

[kaboom@verdande tmp]$ ./find-zlib -v /bin/rpm 
/bin/rpm: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler"
/bin/rpm: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly"
/bin/rpm: zlib cplens table, little endian
/bin/rpm: zlib cplext table (version 1.0.5 to 1.1.4)
/bin/rpm: zlib configuration table, little endian, 32 bit
/bin/rpm: 18 out of 18 messages
[kaboom@verdande tmp]$ rpm -qf /bin/rpm
[kaboom@verdande tmp]$

Comment 1 Henning Schmiedehausen 2002-03-19 10:33:00 UTC
This also applied to the RH 6.2 version of RPM!

Comment 2 Jeff Johnson 2002-03-27 19:39:08 UTC
Fixed (by linking against patched 1.1.3) in
Raw Hide in (at least) rpm-4.0.4-7x.9

As there's no known way to exercise the double
free in zlib from an rpm package, there won't
be an errata for 6x.

Note You need to log in before you can comment on or make changes to this bug.