Hewlett-Packard Company Information for VU#368819

Double Free Bug in zlib Compression Library Corrupts malloc's Internal Data Structures



Vendor Statement

Some HP-UX software (for example, X and lbxproxy) is linked with the 1.0.8 version of zlib. This version came before the introduction of the reported double free problem and is not vulnerable.

Other HP-UX software (for example, OpenSSH) is linked with the latest zlib (1.1.4) and is not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References



HP has published multiple HP Security Bulletins to address this issue:

    HPSBTL0204-037 Security vulnerability in audit subsystem
    HPSBTL0204-036 Security vulnerabilities in the kernel
    HPSBTL0204-030 Security vulnerability in zlib library
    HPSBTL0203-029 Security vulnurabilty in openssh-clients
    HPSBUX0211-0226 SSRT2146 Java Zlib compression libraries bug

For further information, please visit http://itrc.hp.com and search for the appropriate reference number. Please note that registration may be required to access these documents.

If you have feedback, comments, or additional information about this vulnerability, please send us email.