[CentOS] [Fwd: [Full-disclosure] [ GLSA 200507-05 ] zlib: Buffer overflow]

Thu Jul 7 04:22:10 UTC 2005
Beau Henderson <silentbob at gmail.com>

http://lists.centos.org/pipermail/centos-announce/2005-July/thread.html

On 7/7/05, William Warren <hescominsoon at emmanuelcomputerconsulting.com> wrote:
> Has Centos been tested for this yet?
> 
> 
> -------- Original Message --------
> Subject: [Full-disclosure] [ GLSA 200507-05 ] zlib: Buffer overflow
> Date: Wed, 06 Jul 2005 16:23:20 +0200
> From: Thierry Carrez <koon at gentoo.org>
> Organization: Gentoo Linux
> To: gentoo-announce at lists.gentoo.org
> CC: full-disclosure at lists.grok.org.uk,
> bugtraq at securityfocus.com,      security-alerts at linuxsecurity.com
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
> Gentoo Linux Security Advisory                           GLSA
> 200507-05
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
> 
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
> 
>    Severity: High
>       Title: zlib: Buffer overflow
>        Date: July 06, 2005
>        Bugs: #98121
>          ID: 200507-05
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
> 
> Synopsis
> ========
> 
> A buffer overflow has been discovered in zlib, potentially
> resulting in
> the execution of arbitrary code.
> 
> Background
> ==========
> 
> zlib is a widely used free and patent unencumbered data compression
> library.
> 
> Affected packages
> =================
> 
> 
> -------------------------------------------------------------------
>       Package        /  Vulnerable  /
> Unaffected
> 
> -------------------------------------------------------------------
>    1  sys-libs/zlib     < 1.2.2-r1                          >=
> 1.2.2-r1
> 
> Description
> ===========
> 
> Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
> buffer overflow in zlib. A bounds checking operation failed to take
> invalid data into account, allowing a specifically malformed deflate
> data stream to overrun a buffer.
> 
> Impact
> ======
> 
> An attacker could construct a malformed data stream, embedding it
> within network communication or an application file format,
> potentially
> resulting in the execution of arbitrary code when decoded by the
> application using the zlib library.
> 
> Workaround
> ==========
> 
> There is no known workaround at this time.
> 
> Resolution
> ==========
> 
> All zlib users should upgrade to the latest version:
> 
>      # emerge --sync
>      # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.2-r1"
> 
> References
> ==========
> 
>    [ 1 ] CAN-2005-2096
> 
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
> 
> Availability
> ============
> 
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
> 
>    http://security.gentoo.org/glsa/glsa-200507-05.xml
> 
> Concerns?
> =========
> 
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users machines is of utmost
> importance to us. Any security concerns should be addressed to
> security at gentoo.org or alternatively, you may file a bug at
> http://bugs.gentoo.org.
> 
> License
> =======
> 
> Copyright 2005 Gentoo Foundation, Inc; referenced text
> belongs to its owner(s).
> 
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.
> 
> http://creativecommons.org/licenses/by-sa/2.0
> 
> 
> 
> 
> --
> My "Foundation" verse:
> Isa 54:17  No weapon that is formed against thee shall prosper;
> and every tongue that shall rise against thee in judgment thou
> shalt condemn. This is the heritage of the servants of the LORD,
> and their righteousness is of me, saith the LORD.
> 
> -- carpe ductum -- "Grab the tape"
> CDTT (Certified Duct Tape Technician)
> 
> Linux user #322099
> Machines:
> 206822
> 256638
> 276825
> http://counter.li.org/
> 
> 
> BodyID:422675878.2.n.logpart (stored separately)
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> 
> 


-- 
Beau Henderson