Summary: | <perl-core/Compress-Raw-Zlib-2.020: Off-by-one (CVE-2009-1391) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Eray Aslan <eras> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | perl |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://marc.info/?l=amavis-user&m=124424604127291&w=2 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 268615 | ||
Bug Blocks: | 281955 |
Description
Eray Aslan
2009-06-08 05:50:03 UTC
The versions are unmasked. If early stabilization is wanted, all of the following should be stabilized: =perl-core/IO-Compress-2.020 =perl-core/Compress-Raw-Zlib-2.020 =perl-core/Compress-Raw-Bzip2-2.020 =virtual/perl-IO-Compress-2.020 =virtual/perl-Compress-Raw-Zlib-2.020 =virtual/perl-Compress-Raw-Bzip2-2.020 =virtual/perl-Compress-Zlib-2.020 =virtual/perl-IO-Compress-Zlib-2.020 =virtual/perl-IO-Compress-Bzip2-2.020 =virtual/perl-IO-Compress-Base-2.020 Sparc stable: Files=7, Tests=684, 11 wallclock secs ( 0.49 usr 0.06 sys + 9.61 cusr 0.29 csys = 10.45 CPU) Result: PASS Stable for HPPA. Uh...i wonder why hppa and sparc ignored all the stabilizations on comment #1 :) I've fixed sparc. hppa: please also stabilize everything else. alpha/arm/ia64/m68k/s390/sh/sparc/x86 stable (In reply to comment #5) > Uh...i wonder why hppa and sparc ignored all the stabilizations on comment #1 > :) I've fixed sparc. Because the bug's Summary is misleading, I guess. > hppa: please also stabilize everything else. Thanks for the hint. Done. CVE-2009-1391 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1391): Off-by-one error in the inflate function in Zlib.xs in Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS, SpamAssassin, and possibly other products, allows context-dependent attackers to cause a denial of service (hang or crash) via a crafted zlib compressed stream that triggers a heap-based buffer overflow, as exploited in the wild by Trojan.Downloader-71014 in June 2009. ppc64 done amd64 done @ppc: Can you please process this bug. ppc stable. closing since we're last GLSA first. Request filed. GLSA 200908-07 |