Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a buffer over-read due to missing null termination.

Reported by: "Piotr Engelking" <inkerman42@gmail.com>

Date: Sat, 31 Mar 2007 15:03:02 UTC

Severity: important

Tags: patch, security

Found in version python2.5/2.5-5

Fixed in version 2.5.1-1

**Done:** Matthias Klose <doko@cs.tu-berlin.de>

Bug is archived. No further changes may be made.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:  
Bug#416931; Package python2.4. (full text, mbox, link).

**Acknowledgement sent** to "Piotr Engelking" <inkerman42@gmail.com>:  
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

\[Message part 1 (text/plain, inline)\]

Package: python2.4
Version: 2.4.4-2
Severity: important
Tags: security patch

In Modules/\_localemodule.c, PyLocale\_strxfrm() miscalculates the length of
the strxfrm() destination buffer, which causes the function to return a
wrong string, and to read past the destination buffer, which may (and does)
result in an information leak. The bug is also present in python2.5.

The attached patch fixes this problem.


-- System Information:
Debian Release: 4.0
 APT prefers testing
 APT policy: (500, 'testing')
Architecture: i386 (x86\_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18
Locale: LANG=C, LC\_CTYPE=pl\_PL.UTF8 (charmap=UTF-8)

Versions of packages python2.4 depends on:
ii  libbz2-1.0                  1.0.3-6      high-quality block-sorting file co
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libdb4.4                    4.4.20-8     Berkeley v4.4 Database Libraries \[
ii  libncursesw5                5.5-5        Shared libraries for terminal hand
ii  libreadline5                5.2-2        GNU readline and history libraries
ii  libssl0.9.8                 0.9.8c-4     SSL shared libraries
ii  mime-support                3.39-1       MIME files 'mime.types' & 'mailcap
ii  python2.4-minimal           2.4.4-2      A minimal subset of the Python lan

python2.4 recommends no packages.

-- no debconf information

\[strxfrm-leak.patch (text/x-patch, attachment)\]

**Bug 416931 cloned as bug 416934.** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:05 GMT) (full text, mbox, link).

**Bug reassigned from package \`python2.4' to \`python2.5'.** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:08 GMT) (full text, mbox, link).

**Changed Bug title to python2.5: off-by-one bug in strxfrm() (causes information leak) from python2.4: off-by-one bug in strxfrm() (causes information leak).** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 15:09:10 GMT) (full text, mbox, link).

**Bug marked as found in version 2.5-5.** Request was from "Piotr Engelking" <inkerman42@gmail.com> to control@bugs.debian.org. (Sat, 31 Mar 2007 17:27:02 GMT) (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:  
Bug#416934; Package python2.5. (full text, mbox, link).

**Acknowledgement sent** to Lubomir Kundrak <lkundrak@redhat.com>:  
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #18 received at 416934@bugs.debian.org (full text, mbox, reply):

Piotr: Could you please provide a reproducer, or a string/locale couple
that triggered th bug for you?

In my system, when n1 returned by strxfrm() was equal to n2, the string
was terminated with \\0, only that it was truncated (so a subsequent
attempt to read it did not lead to an out-of-bound read). Though the
manual states that the behavior is undefined. I did not try it in
Debian, but I can't really imagine why would Debian's glibc behave
differently from Fedora's one.

Btw. I can't imagine a real-world situation where would this lead to an
information disclosure. The return value of strxfrm() is never meant to
be displayed to the user.

-- 
Lubomir Kundrak (Red Hat Security Response Team)

**Information forwarded** to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:  
Bug#416934; Package python2.5. (full text, mbox, link).

**Acknowledgement sent** to "Piotr Engelking" <inkerman42@gmail.com>:  
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. (full text, mbox, link).

Message #23 received at 416934@bugs.debian.org (full text, mbox, reply):

Lubomir Kundrak <lkundrak@redhat.com> wrote:
> Piotr: Could you please provide a reproducer, or a string/locale couple
> that triggered th bug for you?

Ok, sorry for being so terse in the original report:

$ cat foo
#!/usr/bin/python

import locale

print locale.setlocale(locale.LC\_COLLATE, 'pl\_PL.UTF8')
print repr(locale.strxfrm('a'))
$ ./foo
pl\_PL.UTF8
'\\x0c\\x01\\x08\\x01\\x02\\x01\\x18\\x08\\x10'
$

Here, '\\x0c\\x01\\x08\\x01\\x02\\x01' comes from glibc's strxfrm(), and the
rest of the string is the contents of the memory immediately after the
destination buffer. (It is also possible to get identifiable parts of
the strings processed by the program before the strxfrm() call but I
don't have a reproducible test case for that.)

> Btw. I can't imagine a real-world situation where would this lead to an
> information disclosure. The return value of strxfrm() is never meant to
> be displayed to the user.

Real-world case, and how I have found the bug in the first place: a
webapp that allows an user to upload some strings to the server, and
other users to view them and sort them in various ways. Since
Javascript doesn't have support for locale-aware string comparison,
each string carries a sorting key, which is the return value of
strxfrm(), and which is visible in the page source.

**Reply sent** to Matthias Klose <doko@cs.tu-berlin.de>:  
You have taken responsibility. (full text, mbox, link).

**Notification sent** to "Piotr Engelking" <inkerman42@gmail.com>:  
Bug acknowledged by developer. (full text, mbox, link).

Message #28 received at 416934-done@bugs.debian.org (full text, mbox, reply):

Version: 2.5.1-1

Fixed in 2.5.1-1

**Bug archived.** Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 Jul 2007 07:41:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Wed Aug 2 18:08:04 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2007-2052: #416934 - python2.5: off-by-one bug in strxfrm() (causes information leak)

The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file.

Description Lubomir Kundrak 2006-12-08 15:39:30 UTC

+++ This bug was initially created as a clone of Bug #218755 +++

Description of problem:


evolution crashes on the spam mail I'll attach as mbox; the crash may well turn
out to be a security issue in itself. But just crashing is serious since the
next time evo opens it immediately goes back to the same mail and crashes again,
so a non-expert user cannot recover from this.

I suspect RHEL5 is affected too

-- Additional comment from arjan@linux.intel.com on 2006-12-07 06:07 EST --
Created an attachment (id=143043)
mbox with the crashing mail


-- Additional comment from lkundrak@redhat.com on 2006-12-08 10:08 EST --
The file "navigable.gif" is incorrectly encoded. I think evolution should not
feed underlying gdk with the corrupted data, but I doubt an assertion failure
there is the right way to handle the faulty gif.

When you extract the file (with reformime or evolution) and either try to view
it with firefox or gqview or embed it in another email message and open in
evolution it is correctly reported as being broken.

Moreover there's some interesting stuff in the broken base64 data: for example
the IN-SB-8XX-PLATFORMS string encoded there. How could it happen to came there?
Maybe this message was meant to exploit some windows software or encoded by a
horribly broken software? I got no smarter after disassembling the 8bit parts of
the part.

-- Additional comment from lkundrak@redhat.com on 2006-12-08 10:18 EST --
Created an attachment (id=143153)
Backtrace from FC6

evolution-2.8.2.1-2.fc6
gtk2-2.10.4-6.fc6

Comment 2 Matthias Clasen 2007-01-10 13:45:57 UTC

Backported fix is in gtk2-2.4.13-20

Comment 3 Lubomir Kundrak 2007-01-10 15:16:05 UTC

Evolution in RHEL-3 doesn't crash, so the issue is virtually harmless there --
we won't issue an update for RHEL-3.

Comment 8 Red Hat Bugzilla 2007-01-24 16:09:48 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0019.html

CVE-2007-0010: 218932 – CVE-2007-0010 GdbPixbufLoader fails to handle invalid input from Evolution correctly

pam_ldap in nss_ldap on Red Hat Enterprise Linux 4, Fedora Core 3 and earlier, and possibly other distributions does not return an error condition when an LDAP directory server responds with a PasswordPolicyResponse control response, which causes the pam_authenticate function to return a success code even if authentication has failed, as originally reported for xscreensaver.

**Bug 207286** \- CVE-2006-5170 When using LDAP for authentication, xscreensaver allows access if account locked out.

Summary: CVE-2006-5170 When using LDAP for authentication, xscreensaver allows access ...

Keywords:

Status:

CLOSED ERRATA

Alias:

None

Product:

Red Hat Enterprise Linux 4

Classification:

Red Hat

Component:

nss\_ldap

Sub Component:

Version:

4.4

Hardware:

x86\_64

OS:

Linux

Priority:

medium

Severity:

high

Target Milestone:

\---

Target Release:

\---

Assignee:

Nalin Dahyabhai

QA Contact:

Jay Turner

Docs Contact:

URL:

Whiteboard:

impact=moderate,source=redhat,public=...

Depends On:

Blocks:

TreeView+

depends on / blocked

Reported:

2006-09-20 14:27 UTC by Steve Rigler

Modified:

2015-01-08 00:14 UTC (History)

CC List:

6 users (show)

Fixed In Version:

RHSA-2006-0719

Doc Type:

Bug Fix

Doc Text:

Clone Of:

Environment:

Last Closed:

2006-11-15 14:26:05 UTC

Target Upstream Version:

  

Attachments

(Terms of Use)

**tcpdump output** (11.10 KB, application/x-extension-out)  
2006-09-22 12:29 UTC, Steve Rigler

_no flags_

Details

**updated source package with proposed patch** (362.02 KB, application/octet-stream)  
2006-09-22 22:01 UTC, Nalin Dahyabhai

_no flags_

Details

View All Add an attachment (proposed patch, testcase, etc.)

Links

System

ID

Private

Priority

Status

Summary

Last Updated

PADL Software

291

0

None

None

None

Never

Red Hat Product Errata

RHSA-2006:0719

0

normal

SHIPPED\_LIVE

Moderate: nss\_ldap security update

2006-11-15 14:26:02 UTC

CVE-2006-5170: 207286 – CVE-2006-5170 When using LDAP for authentication, xscreensaver allows access if account locked out.

Integer overflow in io-xpm.c in gdk-pixbuf 0.22.0 in GTK+ before 2.8.7 allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186.

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

Access to our knowledgebase and tools in our  
award-winning Customer Portal

Access to support engineers during standard business hours

Access to support engineers 24x7 for high-severity issues

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 12 years running.

See why the Customer Portal keeps earning industry recognition

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> We cannot afford the service to go down. Too many people depend on it. Red Hat is a trusted vendor. Our customers can have faith in us...If there is an issue, Red Hat support means it can be addressed quickly.

> Icon-Red\_Hat-Media\_and\_documents-Quotemark\_Open-B-Red-RGB I like the fact that they really dig into things and then provide answers. As the single Linux guy, I kind of need that second admin next to me sometimes to say, "Hey, what about this?" and I am able to do that through the portal. I get my questions answered and trouble tickets resolved.

**Check out our support channels**

**Have questions?**

CVE-2005-2976: Support

Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image.

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

Access to our knowledgebase and tools in our  
award-winning Customer Portal

Access to support engineers during standard business hours

Access to support engineers 24x7 for high-severity issues

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 12 years running.

See why the Customer Portal keeps earning industry recognition

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> We cannot afford the service to go down. Too many people depend on it. Red Hat is a trusted vendor. Our customers can have faith in us...If there is an issue, Red Hat support means it can be addressed quickly.

> Icon-Red\_Hat-Media\_and\_documents-Quotemark\_Open-B-Red-RGB I like the fact that they really dig into things and then provide answers. As the single Linux guy, I kind of need that second admin next to me sometimes to say, "Hey, what about this?" and I am able to do that through the portal. I get my questions answered and trouble tickets resolved.

**Have questions?**

CVE-2005-0891: Support

The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file.

CVE-2004-0753: Support

Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables.

Skip to content

*   *   Console
    *   Support
    *   Developers
    *   Partner Connect
    *   redhat.com
    *   Start a trial
    

Contact us

Welcome,

Log in to your Red Hat account

Log in

Your Red Hat account gives you access to your member profile and preferences, and the following services based on your customer status:

*   Customer Portal
*   User management

*   Certification Central

Register now

Not registered yet? Here are a few reasons why you should be:

*   Browse Knowledgebase articles, manage support cases and subscriptions, download updates, and more from one place.
*   View users in your organization, and edit their account information, preferences, and permissions.
*   Manage your Red Hat certifications, view exam history, and download certification-related logos and documents.

For your security, if you're on a public computer and have finished using your Red Hat services, please be sure to log out.

Log out

Account Log in

*   Products
*   Solutions
*   Services & support
*   Resources
*   Partners
*   About

**Red Hat Support****Go beyond support by engaging with our experts**

Our teams collaborate with you to ensure you accomplish your goals with Red Hat solutions. The relationship we build with you is designed to provide you with the tools and resources you need to find success on your IT journey.

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

Access to our knowledgebase and tools in our  
award-winning Customer Portal

Access to support engineers during standard business hours

Access to support engineers 24x7 for high-severity issues

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 9 years running.

See why the Customer Portal keeps earning industry recognition

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> We cannot afford the service to go down. Too many people depend on it. Red Hat is a trusted vendor. Our customers can have faith in us...If there is an issue, Red Hat support means it can be addressed quickly.

**Check out our support channels**

**Have questions?**

CVE-2004-0747: Support

mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop.

CVE-2004-0748: Support

Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4, when the "mangling method = hash" option is enabled in smb.conf, has unknown impact and attack vectors.

Skip to content

*   *   Console
    *   Support
    *   Developers
    *   Partners
    *   redhat.com
    *   Start a trial
    

Contact us

Welcome,

Log in to your Red Hat account

Log in

Your Red Hat account gives you access to your member profile and preferences, and the following services based on your customer status:

*   Customer Portal
*   Red Hat Connect for Business Partners

*   User management
*   Certification Central

Register now

Not registered yet? Here are a few reasons why you should be:

*   Browse Knowledgebase articles, manage support cases and subscriptions, download updates, and more from one place.
*   View users in your organization, and edit their account information, preferences, and permissions.
*   Manage your Red Hat certifications, view exam history, and download certification-related logos and documents.

For your security, if you're on a public computer and have finished using your Red Hat services, please be sure to log out.

Log out

Account Log in

*   Products
*   Solutions
*   Services & support
*   Resources
*   Red Hat & open source

**Red Hat Support****Go beyond support by engaging with our experts**

Our teams collaborate with you to ensure you accomplish your goals with Red Hat solutions. The relationship we build with you is designed to provide you with the tools and resources you need to find success on your IT journey.

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

Access to our knowledgebase and tools in our  
award-winning Customer Portal

Access to support engineers during standard business hours

Access to support engineers 24x7 for high-severity issues

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 9 years running.

See why the Customer Portal keeps earning industry recognition

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> We cannot afford the service to go down. Too many people depend on it. Red Hat is a trusted vendor. Our customers can have faith in us...If there is an issue, Red Hat support means it can be addressed quickly.

**Check out our support channels**

**Have questions?**

CVE-2004-0686: Support

The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.

Skip to content

*   *   Console
    *   Support
    *   Developers
    *   Partners
    *   Redhat.com
    *   Start a trial
    

Contact us

Account Log in

**Red Hat Support****Go beyond support by engaging with our experts**

Our teams collaborate with you to ensure you accomplish your goals with Red Hat solutions. The relationship we build with you is designed to provide you with the tools and resources you need to find success on your IT journey.

**Configured for your success**

We develop a holistic understanding of your experience as a customer by ensuring our support and engineering teams work together.

Our support team works hand in hand with the best engineers in the industry to quickly turn customer feedback into product improvements. This direct line of communication allows us to hone in on proactive fixes that can impact your bottom line.

**Find the right level of support**

We have different tiers of support designed to meet your unique needs.

**Self-support**

**Standard**

**Premium**

Access to Red Hat products

Access to our knowledgebase and tools in our  
award-winning Customer Portal

Access to support engineers during standard business hours

Access to support engineers 24x7 for high-severity issues

We also feature specialized support options that can be tailored to the unique needs of companies of all sizes and industries. The Red Hat® Enhanced Solution Support offering reduces downtime and boosts confidence through access to senior level engineers, as well as resolution and restoration SLAs—helping you stay up and running as you innovate, scale, and deploy. Our engineers help restore your operations quickly and accelerate the path to final resolution, identifying the root cause which helps protect against recurrences in the future. Enhanced Solution Support engineers, who are already familiar with your environment, will be there to assist with critical issues in production environments so that you can consistently deliver the cloud services your customers demand. This offering is available for Red Hat OpenShift® and Red Hat OpenStack® Platform customers.

**Personalized support**

Connect with a technical adviser for collaborative planning and specialized guidance. Our Technical Account Managers help you streamline deployments, resolve issues, and shape your technology strategy to meet your toughest business challenges.

Explore Technical Account Management

**Award winners since 2011**

We’ve evolved the traditional software subscription model, combining the best elements of our services to exceed customer expectations. The Association of Support Professionals has honored Red Hat’s Customer Portal as one of “The Top Ten Best Support Websites” for 9 years running.

See why the Customer Portal keeps earning industry recognition

**What they're saying**

> We have found the support from Red Hat to be exemplary. Whenever we need anything from them, they have given it … Red Hat is now our backbone. Our business cannot run if Red Hat is not there.

> We cannot afford the service to go down. Too many people depend on it. Red Hat is a trusted vendor. Our customers can have faith in us...If there is an issue, Red Hat support means it can be addressed quickly.

**Check out our support channels**

**Have questions?**

Tag

#red_hat