First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 273141
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Eray Aslan <eray.aslan@caf.com.tr>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 273141 depends on: 268615 Show dependency tree
Bug 273141 blocks: 281955

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2009-06-08 05:50 0000 
perl-core/Compress-Raw-Zlib-2.015 (current stable) has a buffer overflow which
was corrected in perl-core/Compress-Raw-Zlib-2.017.  It results in hanged
process during email checking.  Examples were seen in the wild.  Please check
the above URL for the details.

Please unmask and stabilize perl-core/Compress-Raw-Zlib-2.020 (latest release.
currently hard masked) or at least anything >=perl-core/Compress-Raw-Zlib-2.017



Reproducible: Always

------- Comment #1 From Torsten Veller 2009-06-10 14:33:33 0000 ------- 
The versions are unmasked.

If early stabilization is wanted, all of the following should be stabilized:

=perl-core/IO-Compress-2.020
=perl-core/Compress-Raw-Zlib-2.020
=perl-core/Compress-Raw-Bzip2-2.020
=virtual/perl-IO-Compress-2.020
=virtual/perl-Compress-Raw-Zlib-2.020
=virtual/perl-Compress-Raw-Bzip2-2.020

=virtual/perl-Compress-Zlib-2.020
=virtual/perl-IO-Compress-Zlib-2.020
=virtual/perl-IO-Compress-Bzip2-2.020
=virtual/perl-IO-Compress-Base-2.020

------- Comment #2 From Alex Legler 2009-06-12 19:35:58 0000 ------- 
Arches, please stabilize as per comment 1.

------- Comment #3 From Ferris McCormick 2009-06-12 21:26:15 0000 ------- 
Sparc stable:

Files=7, Tests=684, 11 wallclock secs ( 0.49 usr  0.06 sys +  9.61 cusr  0.29
csys = 10.45 CPU)
Result: PASS

------- Comment #4 From Jeroen Roovers 2009-06-13 15:47:42 0000 ------- 
Stable for HPPA.

------- Comment #5 From Raúl Porcel 2009-06-14 10:18:24 0000 ------- 
Uh...i wonder why hppa and sparc ignored all the stabilizations on comment #1
:) I've fixed sparc.

hppa: please also stabilize everything else.

alpha/arm/ia64/m68k/s390/sh/sparc/x86 stable

------- Comment #6 From Jeroen Roovers 2009-06-14 14:57:33 0000 ------- 
(In reply to comment #5)
> Uh...i wonder why hppa and sparc ignored all the stabilizations on comment #1
> :) I've fixed sparc.

Because the bug's Summary is misleading, I guess.

> hppa: please also stabilize everything else.

Thanks for the hint.

------- Comment #7 From Jeroen Roovers 2009-06-14 16:20:32 0000 ------- 
Done.

------- Comment #8 From Alex Legler 2009-06-17 10:18:37 0000 ------- 
CVE-2009-1391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1391):
  Off-by-one error in the inflate function in Zlib.xs in
  Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
  SpamAssassin, and possibly other products, allows context-dependent
  attackers to cause a denial of service (hang or crash) via a crafted
  zlib compressed stream that triggers a heap-based buffer overflow, as
  exploited in the wild by Trojan.Downloader-71014 in June 2009.

------- Comment #9 From Brent Baude 2009-06-19 00:27:20 0000 ------- 
ppc64 done

------- Comment #10 From Torsten Veller 2009-06-22 20:53:04 0000 ------- 
amd64 done

------- Comment #11 From Torsten Veller 2009-07-13 07:34:30 0000 ------- 
@ppc: Can you please process this bug.

------- Comment #12 From nixnut 2009-07-19 17:08:54 0000 ------- 
ppc stable. closing since we're last

------- Comment #13 From Alex Legler 2009-07-19 17:33:19 0000 ------- 
GLSA first.
Request filed.

------- Comment #14 From Alex Legler 2009-08-18 21:41:21 0000 ------- 
GLSA 200908-07
First Last Prev Next    No search results available      Search page      Enter new bug