[OpenPKG-SA-2005.014] OpenPKG Security Advisory (zlib)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@xxxxxxxxxxx openpkg@xxxxxxxxxxx
OpenPKG-SA-2005.014 28-Jul-2005
________________________________________________________________________
Package: zlib
Vulnerability: denial of service
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= zlib-1.2.2-20050706 >= zlib-1.2.3-20050722
<= ghostscript-8.51-20050706 >= ghostscript-8.51-20050722
<= openpkg-20050706-20050706 >= openpkg-20050722-20050722
<= qt-3.3.4-20050707 >= qt-3.3.4-20050728
OpenPKG 2.4 <= zlib-1.2.2-2.4.1 >= zlib-1.2.2-2.4.2
<= ghostscript-8.51-2.4.1 >= ghostscript-8.51-2.4.2
<= openpkg-2.4.1-2.4.1 >= openpkg-2.4.2-2.4.2
<= qt-3.3.4-2.4.1 >= qt-3.3.4-2.4.2
OpenPKG 2.3 <= zlib-1.2.2-2.3.1 >= zlib-1.2.2-2.3.2
<= ghostscript-8.14-2.3.1 >= ghostscript-8.14-2.3.2
<= openpkg-2.3.4-2.3.4 >= openpkg-2.3.5-2.3.5
<= qt-3.3.4-2.3.1 >= qt-3.3.4-2.3.2
Affected Releases: Dependent Packages:
OpenPKG CURRENT abiword aegis aide analog apache apache2 autotrace
blender bsdtar cadaver cairo citadel clamav
cups curl cvs cvsps cvsync dia doxygen emacs
ethereal exim expat file firefox flowtools gd
geoip gif2png gift-gnutella gift-openft gimp gmime
gnome-vfs gnupg gnuplot gnutls htdig imagemagick
ircd jitterbug kcd lbreakout lcms libarchive
librsync libwmf libxml lout lynx magicpoint mcrypt
mixmaster mng mozilla mplayer mrtg mysql mysql3
mysql40 mysql41 mysqlcc nagios neon netpbm opencdk
openpkg openssh openssl pdflib perl-comp perl-gd
perl-tk pgpdump php php3 php5 pnet png postgresql
postgresql7 pstoedit python qt ratbox ripe-dbase
rrdtool ruby scribus sio subversion tardy tetex
tiff tightvnc transfig ttmkfdir w3m webalizer wml
wv xdelta xemacs xfig xmame xplanet xv zimg
OpenPKG 2.4 aegis aide analog apache apache2 autotrace cadaver
cairo clamav curl cvs emacs exim expat file
firefox flowtools gd geoip gif2png gift-gnutella
gift-openft gimp gmime gnupg gnuplot htdig
imagemagick ircd lcms libwmf libxml lout lynx
magicpoint mng mozilla mrtg mysql mysql40 neon
netpbm opencdk openssh openssl pdflib perl-comp
perl-tk php php5 png postgresql postgresql7
pstoedit python ratbox ripe-dbase rrdtool sio
subversion tardy tetex tiff tightvnc transfig
ttmkfdir w3m webalizer wml xdelta xfig xv
OpenPKG 2.3 aegis aide analog apache apache2 autotrace cadaver
clamav curl cvs emacs exim expat file flowtools
gd geoip gif2png gift-gnutella gift-openft gimp
gmime gnupg gnuplot htdig imagemagick ircd lcms
libwmf libxml lout lynx mng mozilla mrtg mysql
mysql40 neon netpbm opencdk openssh openssl
pdflib perl-comp perl-tk php php5 png postgresql
postgresql7 pstoedit python ripe-dbase rrdtool
sio subversion tardy tetex tiff tightvnc transfig
ttmkfdir w3m webalizer wml xdelta xfig xv
Description:
A previous ZLib [1] update for CAN-2005-2096 fixed a Denial of Service
(DoS) flaw that could allow a carefully crafted compressed stream to
crash an application. While the original patch corrected the reported
overflow, Markus Oberhumer discovered additional ways a stream could
trigger an overflow. The Common Vulnerabilities and Exposures (CVE)
project assigned the id CAN-2005-1849 [2] to the problem.
Please check whether you are affected by running "<prefix>/bin/openpkg
rpm -q zlib". If you have the "zlib" package installed and its version
is affected (see above), we recommend that you immediately upgrade it
(see Solution) and its dependent packages (see above), too [3][4].
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
location, verify its integrity [9], build a corresponding binary RPM
from it [3] and update your OpenPKG installation by applying the
binary RPM [4]. For the most recent release OpenPKG 2.4, perform the
following operations to permanently fix the security problem (for
other releases adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/2.4/UPD
ftp> get zlib-1.2.2-2.4.2.src.rpm
ftp> bye
$ <prefix>/bin/openpkg rpm -v --checksig zlib-1.2.2-2.4.2.src.rpm
$ <prefix>/bin/openpkg rpm --rebuild zlib-1.2.2-2.4.2.src.rpm
$ su -
# <prefix>/bin/openpkg rpm -Fvh <prefix>/RPM/PKG/zlib-1.2.2-2.4.2.*.rpm
Additionally, we recommend that you rebuild and reinstall
all dependent packages (see above), if any, too [3][4].
________________________________________________________________________
References:
[1] http://www.zlib.net/
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
[5] ftp://ftp.openpkg.org/release/2.4/UPD/zlib-1.2.2-2.4.2.src.rpm
[6] ftp://ftp.openpkg.org/release/2.3/UPD/zlib-1.2.2-2.3.2.src.rpm
[7] ftp://ftp.openpkg.org/release/2.4/UPD/
[8] ftp://ftp.openpkg.org/release/2.3/UPD/
[9] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with the
OpenPGP public key "OpenPKG <openpkg@xxxxxxxxxxx>" (ID 63C4CB9F) of the
OpenPKG project which you can retrieve from http://pgp.openpkg.org and
hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/
for details on how to verify the integrity of this advisory.
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@xxxxxxxxxxx>
iD8DBQFC6JIRgHWT4GPEy58RAun3AJ9mvppzpQs4m5xWs/G2LC7Q/UQf2QCffSoz
nziZUeYND7D9aHtJ93N0+PA=
=EzY9
-----END PGP SIGNATURE-----