Bug 61125 - rpm statically linked with buggy zlib
rpm statically linked with buggy zlib
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
7.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-03-13 17:12 EST by Chris Ricker
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-03-19 05:33:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Ricker 2002-03-13 17:12:56 EST
As was recently noted on bugtraq, the recent zlib update of RH seems to have
missed rpm, which is statically linked with an old implementation:

[kaboom@verdande tmp]$ ./find-zlib -v /bin/rpm 
/bin/rpm: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler"
/bin/rpm: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly"
/bin/rpm: zlib cplens table, little endian
/bin/rpm: zlib cplext table (version 1.0.5 to 1.1.4)
/bin/rpm: zlib configuration table, little endian, 32 bit
/bin/rpm: 18 out of 18 messages
[kaboom@verdande tmp]$ rpm -qf /bin/rpm
rpm-4.0.3-1.03
[kaboom@verdande tmp]$
Comment 1 Henning Schmiedehausen 2002-03-19 05:33:00 EST
This also applied to the RH 6.2 version of RPM!
Comment 2 Jeff Johnson 2002-03-27 14:39:08 EST
Fixed (by linking against patched 1.1.3) in
Raw Hide in (at least) rpm-4.0.4-7x.9

As there's no known way to exercise the double
free in zlib from an rpm package, there won't
be an errata for 6x.

Note You need to log in before you can comment on or make changes to this bug.