perl-core/Compress-Raw-Zlib-2.015 (current stable) has a buffer overflow which was corrected in perl-core/Compress-Raw-Zlib-2.017. It results in hanged process during email checking. Examples were seen in the wild. Please check the above URL for the details.
Please unmask and stabilize perl-core/Compress-Raw-Zlib-2.020 (latest release. currently hard masked) or at least anything >=perl-core/Compress-Raw-Zlib-2.017
The versions are unmasked.
If early stabilization is wanted, all of the following should be stabilized:
Arches, please stabilize as per comment 1.
Files=7, Tests=684, 11 wallclock secs ( 0.49 usr 0.06 sys + 9.61 cusr 0.29 csys = 10.45 CPU)
Stable for HPPA.
Uh...i wonder why hppa and sparc ignored all the stabilizations on comment #1 :) I've fixed sparc.
hppa: please also stabilize everything else.
(In reply to comment #5)
> Uh...i wonder why hppa and sparc ignored all the stabilizations on comment #1
> :) I've fixed sparc.
Because the bug's Summary is misleading, I guess.
> hppa: please also stabilize everything else.
Thanks for the hint.
Off-by-one error in the inflate function in Zlib.xs in
Compress::Raw::Zlib Perl module before 2.017, as used in AMaViS,
SpamAssassin, and possibly other products, allows context-dependent
attackers to cause a denial of service (hang or crash) via a crafted
zlib compressed stream that triggers a heap-based buffer overflow, as
exploited in the wild by Trojan.Downloader-71014 in June 2009.
@ppc: Can you please process this bug.
ppc stable. closing since we're last