XFree86 Information for VU#368819
Double Free Bug in zlib Compression Library Corrupts malloc's Internal Data Structures
- Vendor Information Help Date Notified: 05 Mar 2002
- Statement Date:
- Date Updated: 11 Mar 2002
XFree86 versions 4.0 through 4.2.0 include zlib version 1.0.8. XFree86 3.x includes zlib version 1.0.4. The zlib code included with XFree86 is only used on some platforms. This is determined by the setting of HasZlib in the imake config files in the xc/config/cf source directory. If HasZlib is set to YES in the platform's vendor.cf file(s), then the system-provided zlib is used instead of the XFree86-provided version. XFree86 uses the system-provided zlib by default only on the following platforms:
FreeBSD 2.2 and later
NetBSD 1.2.2 and later
The zlib code in XFree86 has been fixed in the CVS repository (trunk and the xf-4_2-branch branch) as of 14 February 2002. A source patch for XFree86 4.2.0 will be available from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/fixes/.
The following XFree86 4.2.0 binary distributions provided by XFree86 include and use a vulnerable version of zlib:
To check if an installation of XFree86 includes zlib, see if the following file exists:
Various vendors repackage and distribute XFree86, and may use settings and configurations different from those described here.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.