61125 – rpm statically linked with buggy zlib

Bug 61125 - rpm statically linked with buggy zlib

Summary: rpm statically linked with buggy zlib

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	rpm
Sub Component:
Version:	7.2
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jeff Johnson
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-03-13 22:12 UTC by Chris Ricker
Modified:	2008-05-01 15:38 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2002-03-19 10:33:05 UTC
Embargoed:

Attachments	(Terms of Use)

Description Chris Ricker 2002-03-13 22:12:56 UTC

As was recently noted on bugtraq, the recent zlib update of RH seems to have
missed rpm, which is statically linked with an old implementation:

[kaboom@verdande tmp]$ ./find-zlib -v /bin/rpm 
/bin/rpm: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler"
/bin/rpm: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly"
/bin/rpm: zlib cplens table, little endian
/bin/rpm: zlib cplext table (version 1.0.5 to 1.1.4)
/bin/rpm: zlib configuration table, little endian, 32 bit
/bin/rpm: 18 out of 18 messages
[kaboom@verdande tmp]$ rpm -qf /bin/rpm
rpm-4.0.3-1.03
[kaboom@verdande tmp]$

Comment 1 Henning Schmiedehausen 2002-03-19 10:33:00 UTC

This also applied to the RH 6.2 version of RPM!

Comment 2 Jeff Johnson 2002-03-27 19:39:08 UTC

Fixed (by linking against patched 1.1.3) in
Raw Hide in (at least) rpm-4.0.4-7x.9

As there's no known way to exercise the double
free in zlib from an rpm package, there won't
be an errata for 6x.

Note You need to log in before you can comment on or make changes to this bug.