Commit Graph

18 Commits

Author SHA1 Message Date
curt
9795c5dd6b Added src-libs subdirectory for keeping source code to extra libs. These
are things that are needed, but that many systems already have packages
available to install, and many users may have versions of these already
installed to support other projects.  So rather than build and install by
default with the main SimGear build/install, these are kept separate so that
those users that don't have them already installed can build and install
them separately.
2002-04-03 21:21:29 +00:00
curt
f6ed02c3fb zlib-1.1.3 had a potential security flaw which is fixed by zlib-1.1.4:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Zlib Advisory 2002-03-11
zlib Compression Library Corrupts malloc Data Structures via Double Free

   Original release date: March 11, 2002
   Last revised: March 11, 2002
   Source: This advisory is based on a CERT advisory written
           by Jeffrey P. Lanza  http://www.kb.cert.org/vuls/id/368819

Systems Affected

     * Any software that is linked against zlib 1.1.3 or earlier
     * Any data compression library derived from zlib 1.1.3 or earlier

Overview

   There is a vulnerability in the zlib shared library that may introduce
   vulnerabilities   into   any   program   that   includes   zlib.  This
   vulnerability has been assigned a CVE name of CAN-2002-0059
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0059

I. Description

   There  is  a  vulnerability in the decompression algorithm used by the
   popular  zlib  compression  library.  If an attacker is able to pass a
   specially-crafted  block of invalid compressed data to a program  that
   includes zlib,  the program's  attempt to decompress  the crafted data
   can cause the  zlib  routines to corrupt the internal data  structures
   maintained by malloc.

   The  vulnerability  results  from  a  programming  error  that  causes
   segments of dynamically allocated memory to be released more than once
   (aka.   "double-freed").  Specifically,  when  inftrees.c:huft_build()
   encounters  the  crafted data, it returns an unexpected Z_MEM_ERROR to
   inftrees.c:inflate_trees_dynamic().  When a subsequent call is made to
   infblock.c:inflate_blocks(), the inflate_blocks function tries to free
   an internal data structure a second time.

   Because  this  vulnerability interferes with the proper allocation and
   de-allocation of dynamic memory, it may be possible for an attacker to
   influence  the  operation  of  programs  that  include  zlib.  In most
   circumstances,  this influence will be limited to denial of service or
   information  leakage, but it is theoretically possible for an attacker
   to  insert  arbitrary  code into a running program. This code would be
   executed with the permissions of the vulnerable program.

II. Impact

   This vulnerability may introduce vulnerabilities into any program that
   includes  the  affected library. Depending upon how and where the zlib
   routines   are   called   from   the   given  program,  the  resulting
   vulnerability may have one or more of the following impacts: denial of
   service, information leakage, or execution of arbitrary code.

III. Solution

Upgrade your version of zlib

   The  maintainers  of  zlib have released version 1.1.4 to address this
   vulnerability.  Any software that is linked against or derived from an
   earlier  version  of  zlib  should be upgraded immediately. The latest
   version of zlib is available at http://www.zlib.org

   The md5 sums of the source archives are:
       abc405d0bdd3ee22782d7aa20e440f08  zlib-1.1.4.tar.gz
       ea16358be41384870acbdc372f9db152  zlib-1.1.4.tar.bz2

IV. Acknowledgments

Thanks to Owen Taylor and Mark Cox of Redhat, Inc. for the
reporting and research of this vulnerability.


This document is available from
http://www.gzip.org/zlib/advisory-2002-03-11.txt

The public PGP key of zlib author Jean-loup Gailly is available from
http://www.gzip.org/zlib/jloup.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8jSR02aJ9JQGWcacRAuDEAKCWdrRkWeJV9lYU5z8NN56s3m8eKACglR4m
42KDUGHuftBkwACTMCnZLEo=
=3yLS
-----END PGP SIGNATURE-----
2002-03-11 23:03:19 +00:00
curt
47eb7efafa Added README's to distribution. 2002-02-14 21:35:32 +00:00
curt
98a9b4a10c Minor clean ups. 2002-01-19 13:37:22 +00:00
curt
5039c84fd0 Removed metakit and zlib from the configure/build process. The
developer will need to build and install these separately if they
don't have packages already installed by their system.  See
README.metakit and README.zlib for more details.

As a convenience, pristine tarballs of the metakit and zlib source
code trees are included with the simgear distribution (and cvs.)
2001-12-29 00:38:04 +00:00
curt
76084f8538 Oops, typo ... 2001-11-12 18:20:32 +00:00
curt
64c408d2b7 Updated RPM make rule as per Ross Golder. 2001-11-12 17:37:24 +00:00
curt
36ef15940e Changes for 0.7.8 2001-06-20 18:12:18 +00:00
curt
b82e02b5ed Tweaks. 2001-05-03 01:58:50 +00:00
curt
6cc32a56b9 Added some convenience functions to point3d. 2001-04-24 20:01:52 +00:00
curt
c412739040 Updates for 0.0.15 2000-12-20 04:57:54 +00:00
curt
ceef43681d First stab at replacing gdbm with metakit. 2000-05-27 03:43:44 +00:00
curt
1547d4ee2f RedHat package building changes contributed by Habibie <habibie@MailandNews.com> 2000-03-28 19:49:07 +00:00
curt
8b75fbc1e6 Update for next (0.0.6) release. 2000-03-17 22:20:32 +00:00
curt
82f410e955 Changed directory structure a bit to facilitate building for windows. 2000-03-17 22:12:16 +00:00
curt
35ed10e252 Updates. 2000-02-19 02:22:47 +00:00
curt
0d8ae0cabe Restructuring subdirectories. 2000-02-14 17:37:54 +00:00
curt
5173d709e0 Initial revision 2000-02-09 19:27:02 +00:00