XFree86 Information for VU#368819

Double Free Bug in zlib Compression Library Corrupts malloc's Internal Data Structures

Status

Affected

Vendor Statement

XFree86 versions 4.0 through 4.2.0 include zlib version 1.0.8. XFree86 3.x includes zlib version 1.0.4. The zlib code included with XFree86 is only used on some platforms. This is determined by the setting of HasZlib in the imake config files in the xc/config/cf source directory. If HasZlib is set to YES in the platform's vendor.cf file(s), then the system-provided zlib is used instead of the XFree86-provided version. XFree86 uses the system-provided zlib by default only on the following platforms:

    FreeBSD 2.2 and later
    NetBSD 1.2.2 and later
    OpenBSD
    Darwin
    Debian Linux


The zlib code in XFree86 has been fixed in the CVS repository (trunk and the xf-4_2-branch branch) as of 14 February 2002. A source patch for XFree86 4.2.0 will be available from ftp://ftp.xfree86.org/pub/XFree86/4.2.0/fixes/.

The following XFree86 4.2.0 binary distributions provided by XFree86 include and use a vulnerable version of zlib:
    Linux-alpha-glibc22
    Linux-ix86-glibc22
When updated binaries are available, it'll be documented at http://www.xfree86.org/4.2.0/UPDATES.html.

To check if an installation of XFree86 includes zlib, see if the following file exists:
    /usr/X11R6/lib/libz.a
To check if an XFree86 X server is dynamically linked with zlib, look for a line containing 'libz' in the output of 'ldd /usr/X11R6/bin/XFree86'.

Various vendors repackage and distribute XFree86, and may use settings and configurations different from those described here.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.