<<< Date Index >>>     <<< Thread Index >>>

[OpenPKG-SA-2005.013] OpenPKG Security Advisory (zlib)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@xxxxxxxxxxx                         openpkg@xxxxxxxxxxx
OpenPKG-SA-2005.013                                          07-Jul-2005
________________________________________________________________________

Package:             zlib
Vulnerability:       denial of service
OpenPKG Specific:    no

Affected Releases:   Affected Packages:           Corrected Packages:
OpenPKG CURRENT      <= zlib-1.2.2-20050219       >= zlib-1.2.2-20050706
                     <= ghostscript-8.51-20050423 >= ghostscript-8.51-20050706
                     <= openpkg-20050615-20050615 >= openpkg-20050706-20050706
                     <= qt-3.3.4-20050503         >= qt-3.3.4-20050707

OpenPKG 2.4          <= zlib-1.2.2-2.4.0          >= zlib-1.2.2-2.4.1
                     <= ghostscript-8.51-2.4.0    >= ghostscript-8.51-2.4.1
                     <= openpkg-2.4.0-2.4.0       >= openpkg-2.4.1-2.4.1
                     <= qt-3.3.4-2.4.0            >= qt-3.3.4-2.4.1

OpenPKG 2.3          <= zlib-1.2.2-2.3.0          >= zlib-1.2.2-2.3.1
                     <= ghostscript-8.14-2.3.0    >= ghostscript-8.14-2.3.1
                     <= openpkg-2.3.3-2.3.3       >= openpkg-2.3.4-2.3.4
                     <= qt-3.3.4-2.3.0            >= qt-3.3.4-2.3.1

Affected Releases:   Dependent Packages:
OpenPKG CURRENT      abiword aegis aide analog apache apache2 autotrace
                     blender bsdtar cadaver cairo citadel clamav
                     cups curl cvs cvsps cvsync dia doxygen emacs
                     ethereal exim expat file firefox flowtools gd
                     geoip gif2png gift-gnutella gift-openft gimp gmime
                     gnome-vfs gnupg gnuplot gnutls htdig imagemagick
                     ircd jitterbug kcd lbreakout lcms libarchive
                     librsync libwmf libxml lout lynx magicpoint mcrypt
                     mixmaster mng mozilla mplayer mrtg mysql mysql3
                     mysql40 mysql41 mysqlcc nagios neon netpbm opencdk
                     openpkg openssh openssl pdflib perl-comp perl-gd
                     perl-tk pgpdump php php3 php5 pnet png postgresql
                     postgresql7 pstoedit python qt ratbox ripe-dbase
                     rrdtool ruby scribus sio subversion tardy tetex
                     tiff tightvnc transfig ttmkfdir w3m webalizer wml
                     wv xdelta xemacs xfig xmame xplanet xv zimg

OpenPKG 2.4          aegis aide analog apache apache2 autotrace cadaver
                     cairo clamav curl cvs emacs exim expat file
                     firefox flowtools gd geoip gif2png gift-gnutella
                     gift-openft gimp gmime gnupg gnuplot htdig
                     imagemagick ircd lcms libwmf libxml lout lynx
                     magicpoint mng mozilla mrtg mysql mysql40 neon
                     netpbm opencdk openssh openssl pdflib perl-comp
                     perl-tk php php5 png postgresql postgresql7
                     pstoedit python ratbox ripe-dbase rrdtool sio
                     subversion tardy tetex tiff tightvnc transfig
                     ttmkfdir w3m webalizer wml xdelta xfig xv

OpenPKG 2.3          aegis aide analog apache apache2 autotrace cadaver
                     clamav curl cvs emacs exim expat file flowtools
                     gd geoip gif2png gift-gnutella gift-openft gimp
                     gmime gnupg gnuplot htdig imagemagick ircd lcms
                     libwmf libxml lout lynx mng mozilla mrtg mysql
                     mysql40 neon netpbm opencdk openssh openssl
                     pdflib perl-comp perl-tk php php5 png postgresql
                     postgresql7 pstoedit python ripe-dbase rrdtool
                     sio subversion tardy tetex tiff tightvnc transfig
                     ttmkfdir w3m webalizer wml xdelta xfig xv

Description:
  Tavis Ormandy from Gentoo discovered a Denial of Service (DoS)
  vulnerability in the ZLib compression library [1] versions 1.2.x
  (older versions are not affected). An error in the handling of corrupt
  compressed data streams can result in a buffer being overflowed. By
  carefully crafting a corrupt compressed data stream, an attacker
  could overwrite data structures in a ZLib-using application. The
  Common Vulnerabilities and Exposures (CVE) project assigned the id
  CAN-2005-2096 [2] to the problem.

  Please check whether you are affected by running "<prefix>/bin/openpkg
  rpm -q zlib". If you have the "zlib" package installed and its version
  is affected (see above), we recommend that you immediately upgrade it
  (see Solution) and its dependent packages (see above), too [3][4].

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the
  binary RPM [4]. For the most recent release OpenPKG 2.4, perform the
  following operations to permanently fix the security problem (for
  other releases adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/2.4/UPD
  ftp> get zlib-1.2.2-2.4.1.src.rpm
  ftp> bye
  $ <prefix>/bin/openpkg rpm -v --checksig zlib-1.2.2-2.4.1.src.rpm
  $ <prefix>/bin/openpkg rpm --rebuild zlib-1.2.2-2.4.1.src.rpm
  $ su -
  # <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/zlib-1.2.2-2.4.1.*.rpm

  Additionally, we recommend that you rebuild and reinstall
  all dependent packages (see above), if any, too [3][4].
________________________________________________________________________

References:
  [1] http://www.zlib.net/
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/2.4/UPD/zlib-1.2.2-2.4.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/2.3/UPD/zlib-1.2.2-2.3.1.src.rpm
  [7] ftp://ftp.openpkg.org/release/2.4/UPD/
  [8] ftp://ftp.openpkg.org/release/2.3/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>

iD8DBQFCzR+OgHWT4GPEy58RAhP4AKCBIX+ekTTr4bTMOaB9Sm4D+umstACgpsD9
Qkh660UJivb/cm8b8qk7Bc0=
=E9eq
-----END PGP SIGNATURE-----