Summary: | sys-libs/zlib-1.2.*: denial of service vulnerability | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Matthias Geerdsen (RETIRED) <vorlon> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | major | CC: | base-system, ben | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | http://www.openpkg.org/security/OpenPKG-SA-2004.038-zlib.html | ||||||
Whiteboard: | A3 [glsa] jaervosz | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Matthias Geerdsen (RETIRED)
2004-08-26 01:38:01 UTC
Created attachment 38229 [details, diff]
Patch used by OpenPKG
Attachment contains the patch against zlib-1.2.1 used by OpenPKG (patching
infback.c and inflate.c)
base-system please verify and provide an updated ebuild if needed. Debian seems to be fixing it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253 I can't verify the vuln is real without a test case which means I can't verify the patch does what it's supposed to. Sorry the only thing I can verify is that it patches clean, rebuilds and a few things that link to zlib still work. I've put zlib-1.2.1-r3 in the tree however with the OpenPKG patch named as zlib-1.2.1-CAN-2004-0797.patch KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390" Note: A revdep-rebuild probably should be done for any package that linked with the libzlib.a or uses zlib in a static environment. To get an idea try doing. /usr/bin/revdep-rebuild -X zlib -pv marked stable for arm/hppa/amd64/ia64 Arches please mark zlib-1.2.1-r3 stable sparc stable. Stable on x86 ppc/alpha is now stable mips stable too now too stable on ppc64 This is ready for GLSA. Security please draft and condordes double check. GLSA drafted. Security please review. Debian seems to patch those two files in the same way. Although the upload is not in their pool yet, it can be found at http://incoming.debian.org/ (http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz). The new Changelog for zlib there says: +zlib (1:1.2.1.1-6) testing; urgency=high + + * Fix the error handling in the new inflate implementation to avoid + incorrectly continuing to process in the error state. Thanks to Johan + Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this + bug. This is CAN-2004-0797 (closes: #252253). Debian seems to patch those two files in the same way. Although the upload is not in their pool yet, it can be found at http://incoming.debian.org/ (http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz). The new Changelog for zlib there says: +zlib (1:1.2.1.1-6) testing; urgency=high + + * Fix the error handling in the new inflate implementation to avoid + incorrectly continuing to process in the error state. Thanks to Johan + Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this + bug. This is CAN-2004-0797 (closes: #252253). GLSA 200406-26 The ebuild definetely should warn about static linked binaries and provide instructions on how to rebuild them! s390 stable *** Bug 69877 has been marked as a duplicate of this bug. *** |