blob: 7ba55f82a771a9d0f53a38f0e5bc4661bc121794 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200507-05">
<title>zlib: Buffer overflow</title>
A buffer overflow has been discovered in zlib, potentially resulting in the
execution of arbitrary code.
<product type="ebuild">zlib</product>
<announced>July 06, 2005</announced>
<revised>July 06, 2005: 01</revised>
<package name="sys-libs/zlib" auto="yes" arch="*">
<unaffected range="ge">1.2.2-r1</unaffected>
<vulnerable range="lt">1.2.2-r1</vulnerable>
zlib is a widely used free and patent unencumbered data
compression library.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered a
buffer overflow in zlib. A bounds checking operation failed to take
invalid data into account, allowing a specifically malformed deflate
data stream to overrun a buffer.
<impact type="high">
An attacker could construct a malformed data stream, embedding it
within network communication or an application file format, potentially
resulting in the execution of arbitrary code when decoded by the
application using the zlib library.
There is no known workaround at this time.
All zlib users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=sys-libs/zlib-1.2.2-r1&quot;</code>
<uri link="">CAN-2005-2096</uri>
<metadata tag="submitter" timestamp="Mon, 04 Jul 2005 06:51:26 +0000">
<metadata tag="bugReady" timestamp="Wed, 06 Jul 2005 14:21:00 +0000">