From openpkg@openpkg.org Thu Jul 28 10:18:25 2005 From: OpenPKG To: bugtraq@securityfocus.com Date: Thu, 28 Jul 2005 10:08:18 +0200 Subject: [OpenPKG-SA-2005.014] OpenPKG Security Advisory (zlib) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2005.014 28-Jul-2005 ________________________________________________________________________ Package: zlib Vulnerability: denial of service OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= zlib-1.2.2-20050706 >= zlib-1.2.3-20050722 <= ghostscript-8.51-20050706 >= ghostscript-8.51-20050722 <= openpkg-20050706-20050706 >= openpkg-20050722-20050722 <= qt-3.3.4-20050707 >= qt-3.3.4-20050728 OpenPKG 2.4 <= zlib-1.2.2-2.4.1 >= zlib-1.2.2-2.4.2 <= ghostscript-8.51-2.4.1 >= ghostscript-8.51-2.4.2 <= openpkg-2.4.1-2.4.1 >= openpkg-2.4.2-2.4.2 <= qt-3.3.4-2.4.1 >= qt-3.3.4-2.4.2 OpenPKG 2.3 <= zlib-1.2.2-2.3.1 >= zlib-1.2.2-2.3.2 <= ghostscript-8.14-2.3.1 >= ghostscript-8.14-2.3.2 <= openpkg-2.3.4-2.3.4 >= openpkg-2.3.5-2.3.5 <= qt-3.3.4-2.3.1 >= qt-3.3.4-2.3.2 Affected Releases: Dependent Packages: OpenPKG CURRENT abiword aegis aide analog apache apache2 autotrace blender bsdtar cadaver cairo citadel clamav cups curl cvs cvsps cvsync dia doxygen emacs ethereal exim expat file firefox flowtools gd geoip gif2png gift-gnutella gift-openft gimp gmime gnome-vfs gnupg gnuplot gnutls htdig imagemagick ircd jitterbug kcd lbreakout lcms libarchive librsync libwmf libxml lout lynx magicpoint mcrypt mixmaster mng mozilla mplayer mrtg mysql mysql3 mysql40 mysql41 mysqlcc nagios neon netpbm opencdk openpkg openssh openssl pdflib perl-comp perl-gd perl-tk pgpdump php php3 php5 pnet png postgresql postgresql7 pstoedit python qt ratbox ripe-dbase rrdtool ruby scribus sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml wv xdelta xemacs xfig xmame xplanet xv zimg OpenPKG 2.4 aegis aide analog apache apache2 autotrace cadaver cairo clamav curl cvs emacs exim expat file firefox flowtools gd geoip gif2png gift-gnutella gift-openft gimp gmime gnupg gnuplot htdig imagemagick ircd lcms libwmf libxml lout lynx magicpoint mng mozilla mrtg mysql mysql40 neon netpbm opencdk openssh openssl pdflib perl-comp perl-tk php php5 png postgresql postgresql7 pstoedit python ratbox ripe-dbase rrdtool sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml xdelta xfig xv OpenPKG 2.3 aegis aide analog apache apache2 autotrace cadaver clamav curl cvs emacs exim expat file flowtools gd geoip gif2png gift-gnutella gift-openft gimp gmime gnupg gnuplot htdig imagemagick ircd lcms libwmf libxml lout lynx mng mozilla mrtg mysql mysql40 neon netpbm opencdk openssh openssl pdflib perl-comp perl-tk php php5 png postgresql postgresql7 pstoedit python ripe-dbase rrdtool sio subversion tardy tetex tiff tightvnc transfig ttmkfdir w3m webalizer wml xdelta xfig xv Description: A previous ZLib [1] update for CAN-2005-2096 fixed a Denial of Service (DoS) flaw that could allow a carefully crafted compressed stream to crash an application. While the original patch corrected the reported overflow, Markus Oberhumer discovered additional ways a stream could trigger an overflow. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2005-1849 [2] to the problem. Please check whether you are affected by running "/bin/openpkg rpm -q zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) and its dependent packages (see above), too [3][4]. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the most recent release OpenPKG 2.4, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/2.4/UPD ftp> get zlib-1.2.2-2.4.2.src.rpm ftp> bye $ /bin/openpkg rpm -v --checksig zlib-1.2.2-2.4.2.src.rpm $ /bin/openpkg rpm --rebuild zlib-1.2.2-2.4.2.src.rpm $ su - # /bin/openpkg rpm -Fvh /RPM/PKG/zlib-1.2.2-2.4.2.*.rpm Additionally, we recommend that you rebuild and reinstall all dependent packages (see above), if any, too [3][4]. ________________________________________________________________________ References: [1] http://www.zlib.net/ [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1849 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/2.4/UPD/zlib-1.2.2-2.4.2.src.rpm [6] ftp://ftp.openpkg.org/release/2.3/UPD/zlib-1.2.2-2.3.2.src.rpm [7] ftp://ftp.openpkg.org/release/2.4/UPD/ [8] ftp://ftp.openpkg.org/release/2.3/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG " (ID 63C4CB9F) of the OpenPKG project which you can retrieve from http://pgp.openpkg.org and hkp://pgp.openpkg.org. Follow the instructions on http://pgp.openpkg.org/ for details on how to verify the integrity of this advisory. ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG iD8DBQFC6JIRgHWT4GPEy58RAun3AJ9mvppzpQs4m5xWs/G2LC7Q/UQf2QCffSoz nziZUeYND7D9aHtJ93N0+PA= =EzY9 -----END PGP SIGNATURE-----