Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200508-01 ] Compress::Zlib: Buffer overflow
Date: Mon, 01 Aug 2005 06:13:52
Message-Id: 200508010757.56044.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200508-01
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Compress::Zlib: Buffer overflow
9 Date: August 01, 2005
10 Bugs: #100540
11 ID: 200508-01
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Compress::Zlib is vulnerable to a buffer overflow which could
19 potentially lead to execution of arbitrary code.
20
21 Background
22 ==========
23
24 The Compress::Zlib is a Perl module which provides an interface to the
25 zlib compression library.
26
27 Affected packages
28 =================
29
30 -------------------------------------------------------------------
31 Package / Vulnerable / Unaffected
32 -------------------------------------------------------------------
33 1 dev-perl/Compress-Zlib < 1.35 >= 1.35
34
35 Description
36 ===========
37
38 Compress::Zlib 1.34 contains a local vulnerable version of zlib, which
39 may lead to a buffer overflow.
40
41 Impact
42 ======
43
44 By creating a specially crafted compressed data stream, attackers can
45 overwrite data structures for applications that use Compress::Zlib,
46 resulting in a Denial of Service and potentially arbitrary code
47 execution.
48
49 Workaround
50 ==========
51
52 There is no known workaround at this time.
53
54 Resolution
55 ==========
56
57 All Compress::Zlib users should upgrade to the latest version:
58
59 # emerge --sync
60 # emerge --ask --oneshot --verbose ">=dev-perl/Compress-Zlib-1.35"
61
62 References
63 ==========
64
65 [ 1 ] GLSA 200507-19
66 http://www.gentoo.org/security/en/glsa/glsa-200507-19.xml
67 [ 2 ] GLSA 200507-05
68 http://www.gentoo.org/security/en/glsa/glsa-200507-05.xml
69 [ 3 ] CAN-2005-1849
70 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849
71 [ 4 ] CAN-2005-2096
72 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
73
74 Availability
75 ============
76
77 This GLSA and any updates to it are available for viewing at
78 the Gentoo Security Website:
79
80 http://security.gentoo.org/glsa/glsa-200508-01.xml
81
82 Concerns?
83 =========
84
85 Security is a primary focus of Gentoo Linux and ensuring the
86 confidentiality and security of our users machines is of utmost
87 importance to us. Any security concerns should be addressed to
88 security@g.o or alternatively, you may file a bug at
89 http://bugs.gentoo.org.
90
91 License
92 =======
93
94 Copyright 2005 Gentoo Foundation, Inc; referenced text
95 belongs to its owner(s).
96
97 The contents of this document are licensed under the
98 Creative Commons - Attribution / Share Alike license.
99
100 http://creativecommons.org/licenses/by-sa/2.0