Debian Bug that triggered the following advisory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253 ----------- Package: zlib Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= zlib-1.2.1-20040207 >= zlib-1.2.1-20040825 <= ghostscript-8.14-20040816 >= ghostscript-8.14-20040825 <= openpkg-20040811-20040811 >= openpkg-20040825-20040825 OpenPKG 2.1 <= zlib-1.2.1-2.1.0 >= zlib-1.2.1-2.1.1 <= ghostscript-8.14-2.1.1 >= ghostscript-8.14-2.1.2 <= openpkg-2.1.1-2.1.1 >= openpkg-2.1.2-2.1.2 OpenPKG 2.0 <= zlib-1.2.1-2.0.0 >= zlib-1.2.1-2.0.1 <= ghostscript-8.13-2.0.3 >= ghostscript-8.13-2.0.4 <= openpkg-2.0.3-2.0.3 >= openpkg-2.0.4-2.0.4 Dependent Packages: [...] Description: Triggered by a Debian bug report [1], a denial of service vulnerability was found in the ZLib compression library [0] versions 1.2.x (older versions are not affected). The problem arises from incorrect error handling in the inflate() and inflateBack() functions. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0797 [2] to the problem. Please check whether you are affected by running "<prefix>/bin/openpkg rpm -q zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above) as well [3][4]. [...]
Created attachment 38229 [details, diff] Patch used by OpenPKG Attachment contains the patch against zlib-1.2.1 used by OpenPKG (patching infback.c and inflate.c)
base-system please verify and provide an updated ebuild if needed. Debian seems to be fixing it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253
I can't verify the vuln is real without a test case which means I can't verify the patch does what it's supposed to. Sorry the only thing I can verify is that it patches clean, rebuilds and a few things that link to zlib still work. I've put zlib-1.2.1-r3 in the tree however with the OpenPKG patch named as zlib-1.2.1-CAN-2004-0797.patch KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390"
Note: A revdep-rebuild probably should be done for any package that linked with the libzlib.a or uses zlib in a static environment. To get an idea try doing. /usr/bin/revdep-rebuild -X zlib -pv
marked stable for arm/hppa/amd64/ia64
Arches please mark zlib-1.2.1-r3 stable
sparc stable.
Stable on x86
ppc/alpha is now stable
mips stable too now too
stable on ppc64
This is ready for GLSA. Security please draft and condordes double check.
GLSA drafted. Security please review.
Debian seems to patch those two files in the same way. Although the upload is not in their pool yet, it can be found at http://incoming.debian.org/ (http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz). The new Changelog for zlib there says: +zlib (1:1.2.1.1-6) testing; urgency=high + + * Fix the error handling in the new inflate implementation to avoid + incorrectly continuing to process in the error state. Thanks to Johan + Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this + bug. This is CAN-2004-0797 (closes: #252253).
Debian seems to patch those two files in the same way. Although the upload is not in their pool yet, it can be found at http://incoming.debian.org/ (http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz). The new Changelog for zlib there says: +zlib (1:1.2.1.1-6) testing; urgency=high + + * Fix the error handling in the new inflate implementation to avoid + incorrectly continuing to process in the error state. Thanks to Johan + Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this + bug. This is CAN-2004-0797 (closes: #252253).
GLSA 200406-26
The ebuild definetely should warn about static linked binaries and provide instructions on how to rebuild them!
s390 stable
*** Bug 69877 has been marked as a duplicate of this bug. ***