Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 61749 - sys-libs/zlib-1.2.*: denial of service vulnerability
Summary: sys-libs/zlib-1.2.*: denial of service vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
URL: http://www.openpkg.org/security/OpenP...
Whiteboard: A3 [glsa] jaervosz
Keywords:
: 69877 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-08-26 01:38 UTC by Matthias Geerdsen (RETIRED)
Modified: 2011-10-30 22:37 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch used by OpenPKG (zlib.patch,786 bytes, patch)
2004-08-26 01:54 UTC, Matthias Geerdsen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-26 01:38:01 UTC
Debian Bug that triggered the following advisory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253

-----------

Package:             zlib
Vulnerability:       denial of service
OpenPKG Specific:    no

Affected Releases:   Affected Packages:           Corrected Packages:
OpenPKG CURRENT      <= zlib-1.2.1-20040207       >= zlib-1.2.1-20040825
                     <= ghostscript-8.14-20040816 >= ghostscript-8.14-20040825
                     <= openpkg-20040811-20040811 >= openpkg-20040825-20040825
OpenPKG 2.1          <= zlib-1.2.1-2.1.0          >= zlib-1.2.1-2.1.1
                     <= ghostscript-8.14-2.1.1    >= ghostscript-8.14-2.1.2
                     <= openpkg-2.1.1-2.1.1       >= openpkg-2.1.2-2.1.2
OpenPKG 2.0          <= zlib-1.2.1-2.0.0          >= zlib-1.2.1-2.0.1
                     <= ghostscript-8.13-2.0.3    >= ghostscript-8.13-2.0.4
                     <= openpkg-2.0.3-2.0.3       >= openpkg-2.0.4-2.0.4

Dependent Packages:  
[...]

Description:
  Triggered by a Debian bug report [1], a denial of service vulnerability
  was found in the ZLib compression library [0] versions 1.2.x
  (older versions are not affected). The problem arises from incorrect
  error handling in the inflate() and inflateBack() functions. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2004-0797 [2] to the problem.

  Please check whether you are affected by running "<prefix>/bin/openpkg
  rpm -q zlib". If you have the "zlib" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) and its dependent packages (see above) as well [3][4].

[...]
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-26 01:54:18 UTC
Created attachment 38229 [details, diff]
Patch used by OpenPKG

Attachment contains the patch against zlib-1.2.1 used by OpenPKG (patching
infback.c and inflate.c)
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-26 02:45:46 UTC
base-system please verify and provide an updated ebuild if needed.


Debian seems to be fixing it:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253
Comment 3 solar (RETIRED) gentoo-dev 2004-08-26 08:01:05 UTC
I can't verify the vuln is real without a test case which means I can't verify the patch does what it's supposed to.
Sorry the only thing I can verify is that it patches clean, rebuilds and a few things that link to zlib still work.

I've put zlib-1.2.1-r3 in the tree however with the OpenPKG patch named as zlib-1.2.1-CAN-2004-0797.patch
KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390"
Comment 4 solar (RETIRED) gentoo-dev 2004-08-26 08:31:37 UTC
Note: A revdep-rebuild probably should be done for any package that linked with the libzlib.a or uses zlib in a static environment.

To get an idea try doing.
/usr/bin/revdep-rebuild -X zlib -pv
Comment 5 SpanKY gentoo-dev 2004-08-26 10:41:07 UTC
marked stable for arm/hppa/amd64/ia64
Comment 6 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-26 11:30:33 UTC
Arches please mark zlib-1.2.1-r3 stable
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-26 11:47:43 UTC
sparc stable.
Comment 8 Jon Portnoy (RETIRED) gentoo-dev 2004-08-26 16:31:49 UTC
Stable on x86
Comment 9 SpanKY gentoo-dev 2004-08-26 19:03:45 UTC
ppc/alpha is now stable
Comment 10 SpanKY gentoo-dev 2004-08-26 19:22:04 UTC
mips stable too now too
Comment 11 Tom Gall (RETIRED) gentoo-dev 2004-08-26 20:10:59 UTC
stable on ppc64 
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-26 21:33:51 UTC
This is ready for GLSA. Security please draft and condordes double check.
Comment 13 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-26 22:22:34 UTC
GLSA drafted. Security please review.
Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-27 00:45:33 UTC
Debian seems to patch those two files in the same way. Although the upload is not in their pool yet, it can be found at http://incoming.debian.org/ (http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz).
The new Changelog for zlib there says:

+zlib (1:1.2.1.1-6) testing; urgency=high
+
+  * Fix the error handling in the new inflate implementation to avoid
+    incorrectly continuing to process in the error state.  Thanks to Johan
+    Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this
+    bug.  This is CAN-2004-0797 (closes: #252253).
Comment 15 Matthias Geerdsen (RETIRED) gentoo-dev 2004-08-27 00:45:33 UTC
Debian seems to patch those two files in the same way. Although the upload is not in their pool yet, it can be found at http://incoming.debian.org/ (http://incoming.debian.org/zlib_1.2.1.1-7.diff.gz).
The new Changelog for zlib there says:

+zlib (1:1.2.1.1-6) testing; urgency=high
+
+  * Fix the error handling in the new inflate implementation to avoid
+    incorrectly continuing to process in the error state.  Thanks to Johan
+    Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this
+    bug.  This is CAN-2004-0797 (closes: #252253).
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-27 12:04:12 UTC
GLSA 200406-26
Comment 17 Tobias Sager 2004-08-28 01:12:29 UTC
The ebuild definetely should warn about static linked binaries and provide instructions on how to rebuild them!
Comment 18 SpanKY gentoo-dev 2004-09-22 20:53:13 UTC
s390 stable
Comment 19 Sune Kloppenborg Jeppesen gentoo-dev 2004-11-02 13:24:13 UTC
*** Bug 69877 has been marked as a duplicate of this bug. ***