http://lists.centos.org/pipermail/centos-announce/2005-July/thread.html On 7/7/05, William Warren <hescominsoon at emmanuelcomputerconsulting.com> wrote: > Has Centos been tested for this yet? > > > -------- Original Message -------- > Subject: [Full-disclosure] [ GLSA 200507-05 ] zlib: Buffer overflow > Date: Wed, 06 Jul 2005 16:23:20 +0200 > From: Thierry Carrez <koon at gentoo.org> > Organization: Gentoo Linux > To: gentoo-announce at lists.gentoo.org > CC: full-disclosure at lists.grok.org.uk, > bugtraq at securityfocus.com, security-alerts at linuxsecurity.com > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - > Gentoo Linux Security Advisory GLSA > 200507-05 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - > > http://security.gentoo.org/ > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - > > Severity: High > Title: zlib: Buffer overflow > Date: July 06, 2005 > Bugs: #98121 > ID: 200507-05 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - - - > > Synopsis > ======== > > A buffer overflow has been discovered in zlib, potentially > resulting in > the execution of arbitrary code. > > Background > ========== > > zlib is a widely used free and patent unencumbered data compression > library. > > Affected packages > ================= > > > ------------------------------------------------------------------- > Package / Vulnerable / > Unaffected > > ------------------------------------------------------------------- > 1 sys-libs/zlib < 1.2.2-r1 >= > 1.2.2-r1 > > Description > =========== > > Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a > buffer overflow in zlib. A bounds checking operation failed to take > invalid data into account, allowing a specifically malformed deflate > data stream to overrun a buffer. > > Impact > ====== > > An attacker could construct a malformed data stream, embedding it > within network communication or an application file format, > potentially > resulting in the execution of arbitrary code when decoded by the > application using the zlib library. > > Workaround > ========== > > There is no known workaround at this time. > > Resolution > ========== > > All zlib users should upgrade to the latest version: > > # emerge --sync > # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.2-r1" > > References > ========== > > [ 1 ] CAN-2005-2096 > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096 > > Availability > ============ > > This GLSA and any updates to it are available for viewing at > the Gentoo Security Website: > > http://security.gentoo.org/glsa/glsa-200507-05.xml > > Concerns? > ========= > > Security is a primary focus of Gentoo Linux and ensuring the > confidentiality and security of our users machines is of utmost > importance to us. Any security concerns should be addressed to > security at gentoo.org or alternatively, you may file a bug at > http://bugs.gentoo.org. > > License > ======= > > Copyright 2005 Gentoo Foundation, Inc; referenced text > belongs to its owner(s). > > The contents of this document are licensed under the > Creative Commons - Attribution / Share Alike license. > > http://creativecommons.org/licenses/by-sa/2.0 > > > > > -- > My "Foundation" verse: > Isa 54:17 No weapon that is formed against thee shall prosper; > and every tongue that shall rise against thee in judgment thou > shalt condemn. This is the heritage of the servants of the LORD, > and their righteousness is of me, saith the LORD. > > -- carpe ductum -- "Grab the tape" > CDTT (Certified Duct Tape Technician) > > Linux user #322099 > Machines: > 206822 > 256638 > 276825 > http://counter.li.org/ > > > BodyID:422675878.2.n.logpart (stored separately) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > > -- Beau Henderson