Mombu the GNU Linux Forum sponsored links

Go Back   Mombu the GNU Linux Forum > GNU_Linux > zlib: Buffer overflow
User Name
Password
REGISTER NOW! Mark Forums Read

sponsored links


Reply
 
1 2nd September 06:44
thierry carrez
External User
 
Posts: 1
Default zlib: Buffer overflow


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200507-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: zlib: Buffer overflow
Date: July 06, 2005
Bugs: #98121
ID: 200507-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A buffer overflow has been discovered in zlib, potentially resulting in
the execution of arbitrary code.

Background
==========

zlib is a widely used free and patent unen***bered data compression
library.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-libs/zlib < 1.2.2-r1 >= 1.2.2-r1

Description
===========

Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
buffer overflow in zlib. A bounds checking operation failed to take
invalid data into account, allowing a specifically malformed deflate
data stream to overrun a buffer.

Impact
======

An attacker could construct a malformed data stream, embedding it
within network communication or an application file format, potentially
resulting in the execution of arbitrary code when decoded by the
application using the zlib library.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All zlib users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.2-r1"

References
==========

[ 1 ] CAN-2005-2096
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200507-05.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this do***ent are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCy+lcvcL1obalX08RApjsAJ4/0Xq9PbtEl2JIxBbEd85PCW4F0ACfcneI
BkhYNLyEheFSmHoaV2Kbxxk=
=pBW5
-----END PGP SIGNATURE-----
  Reply With Quote


  sponsored links


2 2nd September 10:01
sune kloppenborg jeppesen
External User
 
Posts: 1
Default zlib: Buffer overflow


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200507-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: zlib: Buffer overflow
Date: July 22, 2005
Bugs: #99751
ID: 200507-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

zlib is vulnerable to a buffer overflow which could potentially lead to
execution of arbitrary code.

Background
==========

zlib is a widely used free and patent unen***bered data compression
library.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 sys-libs/zlib < 1.2.3 >= 1.2.3

Description
===========

zlib improperly handles invalid data streams which could lead to a
buffer overflow.

Impact
======

By creating a specially crafted compressed data stream, attackers can
overwrite data structures for applications that use zlib, resulting in
arbitrary code execution or a Denial of Service.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All zlib users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.3"

References
==========

[ 1 ] Full Disclosure Announcement
http://archives.neohapsis.com/archives/fulldisclosure/2005-07/0489.html
[ 2 ] CAN-2005-1849
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200507-19.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this do***ent are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBC4IUJzKC5hMHO6rkRAkVHAJ0aDF7ogLoGgEG7NlL6vR JbkLllHQCfZcxi
5E4nsenJKlDSSe9RmgDGEEs=
=jkyZ
-----END PGP SIGNATURE-----
  Reply With Quote


  sponsored links


Reply

« Previous Thread (realplayer-heap) | Next Thread (tikiwiki-arbitrary) »

Thread Tools
Display Modes
Linear Mode Linear Mode




Copyright © 2006 SmartyDevil.com - Dies Mies Jeschet Boenedoesef Douvema Enitemaus -
666