61749 2004-08-26 01:38 0000 sys-libs/zlib-1.2.*: denial of service vulnerability 2004-11-02 13:24:13 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All All RESOLVED FIXED http://www.openpkg.org/security/OpenPKG-SA-2004.038-zlib.html A3 [glsa] jaervosz P2 major --- 1 vorlon@gentoo.org security@gentoo.org base-system@gentoo.org ben@easynews.com vorlon@gentoo.org 2004-08-26 01:38:01 0000 Debian Bug that triggered the following advisory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253 ----------- Package: zlib Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= zlib-1.2.1-20040207 >= zlib-1.2.1-20040825 <= ghostscript-8.14-20040816 >= ghostscript-8.14-20040825 <= openpkg-20040811-20040811 >= openpkg-20040825-20040825 OpenPKG 2.1 <= zlib-1.2.1-2.1.0 >= zlib-1.2.1-2.1.1 <= ghostscript-8.14-2.1.1 >= ghostscript-8.14-2.1.2 <= openpkg-2.1.1-2.1.1 >= openpkg-2.1.2-2.1.2 OpenPKG 2.0 <= zlib-1.2.1-2.0.0 >= zlib-1.2.1-2.0.1 <= ghostscript-8.13-2.0.3 >= ghostscript-8.13-2.0.4 <= openpkg-2.0.3-2.0.3 >= openpkg-2.0.4-2.0.4 Dependent Packages: [...] Description: Triggered by a Debian bug report [1], a denial of service vulnerability was found in the ZLib compression library [0] versions 1.2.x (older versions are not affected). The problem arises from incorrect error handling in the inflate() and inflateBack() functions. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0797 [2] to the problem. Please check whether you are affected by running "<prefix>/bin/openpkg rpm -q zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above) as well [3][4]. [...] vorlon@gentoo.org 2004-08-26 01:54:18 0000 Created an attachment (id=38229) Patch used by OpenPKG Attachment contains the patch against zlib-1.2.1 used by OpenPKG (patching infback.c and inflate.c) jaervosz@gentoo.org 2004-08-26 02:45:46 0000 base-system please verify and provide an updated ebuild if needed. Debian seems to be fixing it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253 solar@gentoo.org 2004-08-26 08:01:05 0000 I can't verify the vuln is real without a test case which means I can't verify the patch does what it's supposed to. Sorry the only thing I can verify is that it patches clean, rebuilds and a few things that link to zlib still work. I've put zlib-1.2.1-r3 in the tree however with the OpenPKG patch named as zlib-1.2.1-CAN-2004-0797.patch KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390" solar@gentoo.org 2004-08-26 08:31:37 0000 Note: A revdep-rebuild probably should be done for any package that linked with the libzlib.a or uses zlib in a static environment. To get an idea try doing. /usr/bin/revdep-rebuild -X zlib -pv vapier@gentoo.org 2004-08-26 10:41:07 0000 marked stable for arm/hppa/amd64/ia64 jaervosz@gentoo.org 2004-08-26 11:30:33 0000 Arches please mark zlib-1.2.1-r3 stable gustavoz@gentoo.org 2004-08-26 11:47:43 0000 sparc stable. avenj@gentoo.org 2004-08-26 16:31:49 0000 Stable on x86 vapier@gentoo.org 2004-08-26 19:03:45 0000 ppc/alpha is now stable vapier@gentoo.org 2004-08-26 19:22:04 0000 mips stable too now too tgall@gentoo.org 2004-08-26 20:10:59 0000 stable on ppc64 jaervosz@gentoo.org 2004-08-26 21:33:51 0000 This is ready for GLSA. Security please draft and condordes double check. jaervosz@gentoo.org 2004-08-26 22:22:34 0000 GLSA drafted. Security please review. vorlon@gentoo.org 2004-08-27 00:45:33 0000 Debian seems to patch those two files in the same way. Although the upload is not in their pool yet, it can be found at http://incoming.debian.org/ (http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz). The new Changelog for zlib there says: +zlib (1:1.2.1.1-6) testing; urgency=high + + * Fix the error handling in the new inflate implementation to avoid + incorrectly continuing to process in the error state. Thanks to Johan + Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this + bug. This is CAN-2004-0797 (closes: #252253). vorlon@gentoo.org 2004-08-27 00:45:33 0000 Debian seems to patch those two files in the same way. Although the upload is not in their pool yet, it can be found at http://incoming.debian.org/ (http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz). The new Changelog for zlib there says: +zlib (1:1.2.1.1-6) testing; urgency=high + + * Fix the error handling in the new inflate implementation to avoid + incorrectly continuing to process in the error state. Thanks to Johan + ThelmÃ©n <johan.thelmen@cygate.se> for his help in finding and fixing this + bug. This is CAN-2004-0797 (closes: #252253). jaervosz@gentoo.org 2004-08-27 12:04:12 0000 GLSA 200406-26 moixa@gmx.ch 2004-08-28 01:12:29 0000 The ebuild definetely should warn about static linked binaries and provide instructions on how to rebuild them! vapier@gentoo.org 2004-09-22 20:53:13 0000 s390 stable jaervosz@gentoo.org 2004-11-02 13:24:13 0000 *** Bug 69877 has been marked as a duplicate of this bug. *** 38229 2004-08-26 01:54 0000 Patch used by OpenPKG zlib.patch text/plain U2VjdXJpdHkgQnVnZml4ZXMgKENBTi0yMDA0LTA3OTcsIE9wZW5QS0ctU0EtMjAwNC4wMzgtemxp Yik6CgpJbmRleDogaW5mYmFjay5jCi0tLSBpbmZiYWNrLmMub3JpZwkyMDAzLTA4LTEyIDAxOjQ4 OjA2ICswMjAwCisrKyBpbmZiYWNrLmMJMjAwNC0wOC0yNSAxMjozNzowNyArMDIwMApAQCAtNDM0 LDYgKzQzNCw5IEBACiAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgfQogCisgICAgICAg ICAgICBpZiAoc3RhdGUtPm1vZGUgPT0gQkFEKQorICAgICAgICAgICAgICAgIGJyZWFrOworCiAg ICAgICAgICAgICAvKiBidWlsZCBjb2RlIHRhYmxlcyAqLwogICAgICAgICAgICAgc3RhdGUtPm5l eHQgPSBzdGF0ZS0+Y29kZXM7CiAgICAgICAgICAgICBzdGF0ZS0+bGVuY29kZSA9IChjb2RlIGNv bnN0IEZBUiAqKShzdGF0ZS0+bmV4dCk7CkluZGV4OiBpbmZsYXRlLmMKLS0tIGluZmxhdGUuYy5v cmlnCTIwMDMtMTAtMjYgMDc6MTU6MzYgKzAxMDAKKysrIGluZmxhdGUuYwkyMDA0LTA4LTI1IDEy OjM3OjA3ICswMjAwCkBAIC04NjEsNiArODYxLDkgQEAKICAgICAgICAgICAgICAgICB9CiAgICAg ICAgICAgICB9CiAKKyAgICAgICAgICAgIGlmIChzdGF0ZS0+bW9kZSA9PSBCQUQpCisgICAgICAg ICAgICAgICAgYnJlYWs7CisKICAgICAgICAgICAgIC8qIGJ1aWxkIGNvZGUgdGFibGVzICovCiAg ICAgICAgICAgICBzdGF0ZS0+bmV4dCA9IHN0YXRlLT5jb2RlczsKICAgICAgICAgICAgIHN0YXRl LT5sZW5jb2RlID0gKGNvZGUgY29uc3QgRkFSICopKHN0YXRlLT5uZXh0KTsK