zlib vulnerability

Archaic archaic at linuxfromscratch.org
Wed Jul 6 11:19:52 PDT 2005


A possible buffer overflow exploit was discovered in zlib. This includes
web browsers or email programs able to view PNG images (which are
compressed by zlib). The most likely scenario is a Denial of Service by
crashing the program that is linked to zlib. However, a possibility of
priviledge escalation is suspected.

Attached is the patch for those who don't want to wait for the website
and mirrors to sync. It is being added to the patches repository now
followed by updates to the LFS book's development and testing branches.
A 6.1-pre2 release will immediately follow all this.

Other than applying the patch, there are no changes in zlib's build
instructions. Any services that are linked to zlib should be restarted
after the patched zlib is installed.

The link for this vulnerability (just a place holder last time I looked)
is:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096


-- 
Archaic

Want control, education, and security from your operating system?
Hardened Linux From Scratch
http://www.linuxfromscratch.org/hlfs

-------------- next part --------------
Submitted By: Archaic <archaic AT linuxfromscratch D0T org>
Date: 2005-07-06
Initial Package Version: 1.2.2
Upstream Status: Awaiting Acceptance
Origin: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-05%3A16/zlib.patch
Description: Fixes a buffer overflow vulnerability.
             http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096

diff -Naur zlib-1.2.2.orig/inftrees.c zlib-1.2.2/inftrees.c
--- zlib-1.2.2.orig/inftrees.c	2004-09-15 14:30:06.000000000 +0000
+++ zlib-1.2.2/inftrees.c	2005-07-06 17:47:31.000000000 +0000
@@ -134,7 +134,7 @@
         left -= count[len];
         if (left < 0) return -1;        /* over-subscribed */
     }
-    if (left > 0 && (type == CODES || (codes - count[0] != 1)))
+    if (left > 0 && (type == CODES || max != 1))
         return -1;                      /* incomplete set */
 
     /* generate offsets into symbol table for each length for sorting */


More information about the lfs-security mailing list