http://lists.centos.org/pipermail/centos-announce/2005-July/thread.html
On 7/7/05, William Warren <hescominsoon@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Has Centos been tested for this yet?
>
>
> -------- Original Message --------
> Subject: [Full-disclosure] [ GLSA 200507-05 ] zlib: Buffer overflow
> Date: Wed, 06 Jul 2005 16:23:20 +0200
> From: Thierry Carrez <koon@xxxxxxxxxx>
> Organization: Gentoo Linux
> To: gentoo-announce@xxxxxxxxxxxxxxxx
> CC: full-disclosure@xxxxxxxxxxxxxxxxx,
> bugtraq@xxxxxxxxxxxxxxxxx, security-alerts@xxxxxxxxxxxxxxxxx
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
> Gentoo Linux Security Advisory GLSA
> 200507-05
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
>
> http://security.gentoo.org/
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
>
> Severity: High
> Title: zlib: Buffer overflow
> Date: July 06, 2005
> Bugs: #98121
> ID: 200507-05
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> - - -
>
> Synopsis
> ========
>
> A buffer overflow has been discovered in zlib, potentially
> resulting in
> the execution of arbitrary code.
>
> Background
> ==========
>
> zlib is a widely used free and patent unencumbered data compression
> library.
>
> Affected packages
> =================
>
>
> -------------------------------------------------------------------
> Package / Vulnerable /
> Unaffected
>
> -------------------------------------------------------------------
> 1 sys-libs/zlib < 1.2.2-r1 >=
> 1.2.2-r1
>
> Description
> ===========
>
> Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
> buffer overflow in zlib. A bounds checking operation failed to take
> invalid data into account, allowing a specifically malformed deflate
> data stream to overrun a buffer.
>
> Impact
> ======
>
> An attacker could construct a malformed data stream, embedding it
> within network communication or an application file format,
> potentially
> resulting in the execution of arbitrary code when decoded by the
> application using the zlib library.
>
> Workaround
> ==========
>
> There is no known workaround at this time.
>
> Resolution
> ==========
>
> All zlib users should upgrade to the latest version:
>
> # emerge --sync
> # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.2-r1"
>
> References
> ==========
>
> [ 1 ] CAN-2005-2096
>
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
>
> Availability
> ============
>
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
>
> http://security.gentoo.org/glsa/glsa-200507-05.xml
>
> Concerns?
> =========
>
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users machines is of utmost
> importance to us. Any security concerns should be addressed to
> security@xxxxxxxxxx or alternatively, you may file a bug at
> http://bugs.gentoo.org.
>
> License
> =======
>
> Copyright 2005 Gentoo Foundation, Inc; referenced text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.
>
> http://creativecommons.org/licenses/by-sa/2.0
>
>
>
>
> --
> My "Foundation" verse:
> Isa 54:17 No weapon that is formed against thee shall prosper;
> and every tongue that shall rise against thee in judgment thou
> shalt condemn. This is the heritage of the servants of the LORD,
> and their righteousness is of me, saith the LORD.
>
> -- carpe ductum -- "Grab the tape"
> CDTT (Certified Duct Tape Technician)
>
> Linux user #322099
> Machines:
> 206822
> 256638
> 276825
> http://counter.li.org/
>
>
> BodyID:422675878.2.n.logpart (stored separately)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
>
>
--
Beau Henderson
