99751 – sys-libs/zlib: another buffer overflow (CAN-2005-1849)

Bug 99751 - sys-libs/zlib: another buffer overflow (CAN-2005-1849)

Summary: sys-libs/zlib: another buffer overflow (CAN-2005-1849)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High critical (vote)
Assignee:	Gentoo Security

URL:	http://archives.neohapsis.com/archive...
Whiteboard:	A1 [glsa] jaervosz
Keywords:

Duplicates (1):	98780 (view as bug list)
Depends on:
Blocks:

Reported:	2005-07-20 22:24 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified:	2005-07-21 23:23 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-20 22:24:55 UTC

Package : zlib  
 Vulnerability : buffer overflow  
 Problem type : remote DoS  
 Debian-specific: no  
 CVE ID : CAN-2005-1849  
  
Markus Oberhumer discovered a flaw in the way zlib, a library used for  
 file compression and decompression, handles invalid input. This flaw can  
 cause programs which use zlib to crash when opening an invalid file.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-20 22:26:31 UTC

Base-system please commit the zlib-1.2.3 ebuild for further arch testing.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-20 22:28:29 UTC

*** Bug 98780 has been marked as a duplicate of this bug. ***

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-21 01:41:39 UTC

Arches please test and mark zlib-1.2.3 stable.  
  
Committed with the following keywords from previous arch security liaison  
testing:  
  
KEYWORDS="alpha ~amd64 ~arm hppa ~ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc  
~x86"

Comment 4 Petteri Räty (RETIRED) gentoo-dev

2005-07-21 04:38:39 UTC

 21 Jul 2005; Tavis Ormandy <taviso@gentoo.org> +zlib-1.2.3.ebuild:
security bump #63740

The ChangeLog should probably point to this bug?

Comment 5 solar (RETIRED) gentoo-dev

2005-07-21 04:53:27 UTC

I'll make note when I bump x86 of this bug #

Comment 6 solar (RETIRED) gentoo-dev

2005-07-21 05:04:06 UTC

stable on x86 made reference to the can and this bug. 
s390 amd64 m68k arm sh mips ia64 remain.

Comment 7 Chris Gianelloni (RETIRED) gentoo-dev

2005-07-21 06:25:23 UTC

Actually, this is a "blocker" for the release being built.

Thanks

Comment 8 Herbie Hopkins (RETIRED) gentoo-dev

2005-07-21 07:29:11 UTC

Stable on amd64.

Comment 9 Chris Gianelloni (RETIRED) gentoo-dev

2005-07-21 12:14:53 UTC

IA64 done by agriffis

Comment 10 SpanKY gentoo-dev

2005-07-21 17:27:58 UTC

all stable but mips

Comment 11 solar (RETIRED) gentoo-dev

2005-07-21 18:31:18 UTC

Sadly other distros seem to be down playing the impact of this vuln. 
I glad we have guys like tavis who do homework.

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-21 22:48:27 UTC

GLSA 200507-19 
 
mips don't forget to mark stable to benifit from the GLSA.

Comment 13 Hardave Riar (RETIRED) gentoo-dev

2005-07-21 23:23:16 UTC

Stable on mips.