Bug 61749 - sys-libs/zlib-1.2.*: denial of service vulnerability
|
Bug#:
61749
|
Product: Gentoo Linux
|
Version: unspecified
|
Platform: All
|
|
OS/Version: All
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: vorlon@gentoo.org
|
|
Component: Security
|
|
|
URL:
http://www.openpkg.org/security/OpenPKG-SA-2004.038-zlib.html
|
|
Summary: sys-libs/zlib-1.2.*: denial of service vulnerability
|
|
Keywords:
|
|
Status Whiteboard: A3 [glsa] jaervosz
|
|
Opened: 2004-08-26 01:38 0000
|
Debian Bug that triggered the following advisory:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253
-----------
Package: zlib
Vulnerability: denial of service
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= zlib-1.2.1-20040207 >= zlib-1.2.1-20040825
<= ghostscript-8.14-20040816 >= ghostscript-8.14-20040825
<= openpkg-20040811-20040811 >= openpkg-20040825-20040825
OpenPKG 2.1 <= zlib-1.2.1-2.1.0 >= zlib-1.2.1-2.1.1
<= ghostscript-8.14-2.1.1 >= ghostscript-8.14-2.1.2
<= openpkg-2.1.1-2.1.1 >= openpkg-2.1.2-2.1.2
OpenPKG 2.0 <= zlib-1.2.1-2.0.0 >= zlib-1.2.1-2.0.1
<= ghostscript-8.13-2.0.3 >= ghostscript-8.13-2.0.4
<= openpkg-2.0.3-2.0.3 >= openpkg-2.0.4-2.0.4
Dependent Packages:
[...]
Description:
Triggered by a Debian bug report [1], a denial of service vulnerability
was found in the ZLib compression library [0] versions 1.2.x
(older versions are not affected). The problem arises from incorrect
error handling in the inflate() and inflateBack() functions. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2004-0797 [2] to the problem.
Please check whether you are affected by running "<prefix>/bin/openpkg
rpm -q zlib". If you have the "zlib" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution) and its dependent packages (see above) as well [3][4].
[...]
I can't verify the vuln is real without a test case which means I can't verify
the patch does what it's supposed to.
Sorry the only thing I can verify is that it patches clean, rebuilds and a few
things that link to zlib still work.
I've put zlib-1.2.1-r3 in the tree however with the OpenPKG patch named as
zlib-1.2.1-CAN-2004-0797.patch
KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390"
Note: A revdep-rebuild probably should be done for any package that linked with
the libzlib.a or uses zlib in a static environment.
To get an idea try doing.
/usr/bin/revdep-rebuild -X zlib -pv
marked stable for arm/hppa/amd64/ia64
Arches please mark zlib-1.2.1-r3 stable
This is ready for GLSA. Security please draft and condordes double check.
GLSA drafted. Security please review.
Debian seems to patch those two files in the same way. Although the upload is
not in their pool yet, it can be found at http://incoming.debian.org/
(http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz).
The new Changelog for zlib there says:
+zlib (1:1.2.1.1-6) testing; urgency=high
+
+ * Fix the error handling in the new inflate implementation to avoid
+ incorrectly continuing to process in the error state. Thanks to Johan
+ Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this
+ bug. This is CAN-2004-0797 (closes: #252253).
Debian seems to patch those two files in the same way. Although the upload is
not in their pool yet, it can be found at http://incoming.debian.org/
(http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz).
The new Changelog for zlib there says:
+zlib (1:1.2.1.1-6) testing; urgency=high
+
+ * Fix the error handling in the new inflate implementation to avoid
+ incorrectly continuing to process in the error state. Thanks to Johan
+ Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing
this
+ bug. This is CAN-2004-0797 (closes: #252253).
The ebuild definetely should warn about static linked binaries and provide
instructions on how to rebuild them!
*** Bug 69877 has been marked as a duplicate of this bug. ***
