[OpenPKG-SA-2005.013] OpenPKG Security Advisory (zlib)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@xxxxxxxxxxx openpkg@xxxxxxxxxxx
OpenPKG-SA-2005.013 07-Jul-2005
________________________________________________________________________
Package: zlib
Vulnerability: denial of service
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= zlib-1.2.2-20050219 >= zlib-1.2.2-20050706
<= ghostscript-8.51-20050423 >= ghostscript-8.51-20050706
<= openpkg-20050615-20050615 >= openpkg-20050706-20050706
<= qt-3.3.4-20050503 >= qt-3.3.4-20050707
OpenPKG 2.4 <= zlib-1.2.2-2.4.0 >= zlib-1.2.2-2.4.1
<= ghostscript-8.51-2.4.0 >= ghostscript-8.51-2.4.1
<= openpkg-2.4.0-2.4.0 >= openpkg-2.4.1-2.4.1
<= qt-3.3.4-2.4.0 >= qt-3.3.4-2.4.1
OpenPKG 2.3 <= zlib-1.2.2-2.3.0 >= zlib-1.2.2-2.3.1
<= ghostscript-8.14-2.3.0 >= ghostscript-8.14-2.3.1
<= openpkg-2.3.3-2.3.3 >= openpkg-2.3.4-2.3.4
<= qt-3.3.4-2.3.0 >= qt-3.3.4-2.3.1
Affected Releases: Dependent Packages:
OpenPKG CURRENT abiword aegis aide analog apache apache2 autotrace
blender bsdtar cadaver cairo citadel clamav
cups curl cvs cvsps cvsync dia doxygen emacs
ethereal exim expat file firefox flowtools gd
geoip gif2png gift-gnutella gift-openft gimp gmime
gnome-vfs gnupg gnuplot gnutls htdig imagemagick
ircd jitterbug kcd lbreakout lcms libarchive
librsync libwmf libxml lout lynx magicpoint mcrypt
mixmaster mng mozilla mplayer mrtg mysql mysql3
mysql40 mysql41 mysqlcc nagios neon netpbm opencdk
openpkg openssh openssl pdflib perl-comp perl-gd
perl-tk pgpdump php php3 php5 pnet png postgresql
postgresql7 pstoedit python qt ratbox ripe-dbase
rrdtool ruby scribus sio subversion tardy tetex
tiff tightvnc transfig ttmkfdir w3m webalizer wml
wv xdelta xemacs xfig xmame xplanet xv zimg
OpenPKG 2.4 aegis aide analog apache apache2 autotrace cadaver
cairo clamav curl cvs emacs exim expat file
firefox flowtools gd geoip gif2png gift-gnutella
gift-openft gimp gmime gnupg gnuplot htdig
imagemagick ircd lcms libwmf libxml lout lynx
magicpoint mng mozilla mrtg mysql mysql40 neon
netpbm opencdk openssh openssl pdflib perl-comp
perl-tk php php5 png postgresql postgresql7
pstoedit python ratbox ripe-dbase rrdtool sio
subversion tardy tetex tiff tightvnc transfig
ttmkfdir w3m webalizer wml xdelta xfig xv
OpenPKG 2.3 aegis aide analog apache apache2 autotrace cadaver
clamav curl cvs emacs exim expat file flowtools
gd geoip gif2png gift-gnutella gift-openft gimp
gmime gnupg gnuplot htdig imagemagick ircd lcms
libwmf libxml lout lynx mng mozilla mrtg mysql
mysql40 neon netpbm opencdk openssh openssl
pdflib perl-comp perl-tk php php5 png postgresql
postgresql7 pstoedit python ripe-dbase rrdtool
sio subversion tardy tetex tiff tightvnc transfig
ttmkfdir w3m webalizer wml xdelta xfig xv
Description:
Tavis Ormandy from Gentoo discovered a Denial of Service (DoS)
vulnerability in the ZLib compression library [1] versions 1.2.x
(older versions are not affected). An error in the handling of corrupt
compressed data streams can result in a buffer being overflowed. By
carefully crafting a corrupt compressed data stream, an attacker
could overwrite data structures in a ZLib-using application. The
Common Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2005-2096 [2] to the problem.
Please check whether you are affected by running "<prefix>/bin/openpkg
rpm -q zlib". If you have the "zlib" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution) and its dependent packages (see above), too [3][4].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
location, verify its integrity [9], build a corresponding binary RPM
from it [3] and update your OpenPKG installation by applying the
binary RPM [4]. For the most recent release OpenPKG 2.4, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/2.4/UPD
ftp> get zlib-1.2.2-2.4.1.src.rpm
ftp> bye
$ <prefix>/bin/openpkg rpm -v --checksig zlib-1.2.2-2.4.1.src.rpm
$ <prefix>/bin/openpkg rpm --rebuild zlib-1.2.2-2.4.1.src.rpm
$ su -
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/zlib-1.2.2-2.4.1.*.rpm
Additionally, we recommend that you rebuild and reinstall
all dependent packages (see above), if any, too [3][4].
________________________________________________________________________
References:
[1] http://www.zlib.net/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
[5] ftp://ftp.openpkg.org/release/2.4/UPD/zlib-1.2.2-2.4.1.src.rpm
[6] ftp://ftp.openpkg.org/release/2.3/UPD/zlib-1.2.2-2.3.1.src.rpm
[7] ftp://ftp.openpkg.org/release/2.4/UPD/
[8] ftp://ftp.openpkg.org/release/2.3/UPD/
[9] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>
iD8DBQFCzR+OgHWT4GPEy58RAhP4AKCBIX+ekTTr4bTMOaB9Sm4D+umstACgpsD9
Qkh660UJivb/cm8b8qk7Bc0=
=E9eq
-----END PGP SIGNATURE-----