Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162680 - CAN-2005-2096 zlib buffer overflow
Summary: CAN-2005-2096 zlib buffer overflow
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: zlib
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Whiteboard: 1, 2, LEGACY
: 167298 (view as bug list)
Depends On: 162392
TreeView+ depends on / blocked
Reported: 2005-07-07 16:19 UTC by Matthew Miller
Modified: 2007-04-18 17:29 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-09-15 02:03:01 UTC

Attachments (Terms of Use)

Description Matthew Miller 2005-07-07 16:19:44 UTC
+++ This bug was initially created as a clone of Bug #162392 +++

+++ This bug was initially created as a clone of Bug #162391 +++

This affects zlib 1.2 and up, which is FC1 and FC2.


Comment 1 Jeff Sheltren 2005-07-13 21:21:35 UTC
Hash: SHA1

Created SRPMs using patch from FC4 package:



4c8f526dbed8d61a82ccf8af189023e19b5f723e  zlib-
322ef60e9d141c5532b70cd4734e77e4693a434a  zlib-
Version: GnuPG v1.4.1 (Darwin)


Comment 2 Pekka Savola 2005-07-14 09:20:31 UTC
Hash: SHA1

QA w/
 - source integrity OK
 - spec file changes minimal
 - patches verified to match RHEL4


4c8f526dbed8d61a82ccf8af189023e19b5f723e  zlib-
322ef60e9d141c5532b70cd4734e77e4693a434a  zlib-
Version: GnuPG v1.0.7 (GNU/Linux)


Comment 3 Marc Deslauriers 2005-07-16 18:58:16 UTC
Packages were pushed to updates-testing

Comment 4 Stefan Neufeind 2005-07-21 05:51:21 UTC
Following the paper from Florian Weimer:
and scanning an up to date FC3-install, it reported:

- rsync 2.6.3-1
- restore, modprobe, modinfo, depmod

from FC3 to still contain a statically linked version against an old zlib. If
somebody could confirm, would it be possible to please compile new releases?

Comment 5 Mark J. Cox 2005-07-21 09:05:09 UTC
modprobe, modinfo, depmod have no security context (if you have a malcious
kernel module you're about to load it doesn't really matter if it can exploit
you by zlib).  restore/dump similarly.   

rsync includes version 1.1.4 of zlib and is therefore unaffected by this issue.

Comment 6 John Dalbec 2005-07-21 14:47:30 UTC
05.28.26 CVE: CAN-2005-2096
Platform: Cross Platform
Title: Zlib Compression Library Buffer Overflow Vulnerability
Description: The Zlib compression library is a library designed for
compression and decompression of data. It is reported to be vulnerable
to a buffer overflow issue in the "inflate_table()" function in the
"inftrees.c" file. Zlib versions 1.2.2 and earlier are reported to be

(6) HIGH: zlib Compression Library Buffer Overflow
zlib version 1.2.1 and 1.2.2

Description: zlib is a popular compression library that is widely used
by programs across all OSs including Linux, Mac OS and Windows. This
library contains a buffer overflow that can be triggered by a specially
crafted compressed file. An attacker, who can deliver such a crafted
file to a program using zlib, may exploit the overflow to execute
arbitrary code. For example, a webserver can set "Content-Encoding" HTTP
header to gzip, which may lead to an overflow in the browser using the
zlib library. The technical details required to craft a malicious file
may be obtained by examining the patch.

Status: The vendor will release an official update soon. Many Linux
vendors have already provided updates. A list of applications that use
zlib can be found at: Many of
these applications may require an update from the corresponding vendor.

Council Site Actions: Only a few of the council sites are responding to
this item.   One site said their Linux systems will obtain updated
packages from the Linux vendor, as the packages become available.
Another site will patch their externally accessible servers immediately,
and then roll out to internal servers as part of their standard patch
cycle. The other sites are still evaluating their risk/exposure level
and formulating a remediation response.

Gentoo Advisory (Gentoo researcher reported the bug)  
Handler's Diary Posting  
Ways to Identify Programs With Statically Linked zlib 
Vendor Homepage  
SecurityFocus BID 

Comment 7 Pekka Savola 2005-07-21 18:09:18 UTC
The issue(s) listed in the previous comment (#6) appear to be the ones already
handled by this update, unless I'm mistaken.

Comment 8 Gilbert Sebenste 2005-08-03 15:36:07 UTC
Works for me. +VERIFY FC1.

Comment 9 Pekka Savola 2005-08-04 20:44:03 UTC
Any other verifies?  I'll mark Gilbert's verified, even though unsigned, but
won't start a timeout at least yet..

Comment 10 Jeff Sheltren 2005-08-06 05:53:23 UTC
Hash: SHA1

Verify for FC2 packages:

7ec6202d58ed3a41f3575757b111ab88622081d7  zlib-
450f8ce4f02f36dbee569c0a9fdbe772829dce15  zlib-devel-

Signatures OK
Packages install OK
Packages linked to libz still work as expected

Version: GnuPG v1.4.1 (Darwin)


Comment 11 Pekka Savola 2005-08-08 05:21:32 UTC

Comment 12 Marc Deslauriers 2005-08-09 23:54:48 UTC
Looks like we forgot CAN-2005-1849. Since the patch to fix it was trivial, I
rebuilt packages with it included and put them directly into testing.

Please test and as soon as we get 1 VERIFY, I'll release them.

Comment 13 David Eisenstein 2005-08-20 00:50:16 UTC
Hash: SHA1

Verifying the Fedora Core 1 packages for zlib in updates-testing:

f242225e07d39648b0d7d6558150285ddf7f62d8  zlib-
618d744e5a8f9a895b40f952a8593985c93fd6d6  zlib-devel-
c812abcd0c5bcfccc86573e81d68ebff5b615ded  zlib-

  *  Comparing it with a previous .src.rpm:  Looks good --
  *  specfile changes minimal
  *  patch files look good - very small changes.
  *  PUBLISH++

  *  rpm --checksig (all are properly signed with Fedora Legacy key):
     zlib- (sha1) dsa sha1 md5 gpg OK
     zlib-devel- (sha1) dsa sha1 md5 gpg OK
     zlib- (sha1) dsa sha1 md5 gpg OK
  * of these packages compare favorably with 
     previous zlib packages
  *  Installed fine (zlib and zlib-devel).
  *  Since this is a library, post-install and post-uninstall scripts OK:
     $ rpm -qp --scripts zlib-
     postinstall program: /sbin/ldconfig
     postuninstall program: /sbin/ldconfig
  *  Currently, over 41 processes on my system are linking to this installed (including the gedit window I'm typing in): nary a burp.
  *  Runs fine, tastes great!!

VERIFY++  FC1                   -David

Version: GnuPG v1.2.3 (GNU/Linux)


Comment 14 David Eisenstein 2005-08-20 04:48:56 UTC
Question:  How do we test zlib to ensure the DoS conditions (CAN-2005-2096
& CAN-2005-1849) are fixed before we release packages to updates and issue
an Errata?

I've dug and dug and cannot find any example files to use TO test that the
DoS conditions in zlib have been fixed.  It bothers me that we cannot test

The Fedora Core 3 fix for this apparently is in Bug #163038.  From Fedora
Update Notification FEDORA-2005-625 at <>:

  * Fri Jul 22 2005 Ivana Varekova <varekova redhat com>
  - fix bug 163038 - CAN-2005-1849 - zlib overflow problem

Bug #163038 may include information on how to test the fixed zlibs.  But I
cannot open that Bug.  Can anyone else?

Comment 15 Pekka Savola 2005-08-20 20:15:37 UTC
I can't access it either, probably something embargoed by redhat.

Comment 16 Mark J. Cox 2005-08-21 08:45:35 UTC
opened bug, but nothing useful in it.  (Feel free to mail if
you see bugs that you think you should be able to access but can't -- we usually
catch these ourselves but in this case the embargo was lifted early and we
updated the el bug but not the fc version).

Comment 17 David Eisenstein 2005-08-23 11:16:00 UTC
Well, I'd say go ahead and release this.  Zlib has been working great on my
machine for a few days now.  It may be bothersome not to be able to find any
tests for the vulnerabilities, but that's just the way it is.  -David

Comment 18 John Dalbec 2005-09-02 14:12:05 UTC
*** Bug 167298 has been marked as a duplicate of this bug. ***

Comment 19 Marc Deslauriers 2005-09-15 02:03:01 UTC
Packages were released.

Note You need to log in before you can comment on or make changes to this bug.