Security Advisory zlib security update

Advisory: RHSA-2003:081-04
Type: Security Advisory
Severity: Moderate
Issued on: 2003-05-22
Last updated on: 2003-05-22
Affected Products: Red Hat Enterprise Linux AS (v. 2.1)
Red Hat Enterprise Linux ES (v. 2.1)
Red Hat Enterprise Linux WS (v. 2.1)
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
OVAL: N/A
CVEs (cve.mitre.org): CVE-2003-0107

Details

Updated zlib packages that fix a buffer overflow vulnerability are now
available.

Zlib is a general-purpose, patent-free, lossless data compression
library that is used by many different programs.

The function gzprintf within zlib, when called with a string longer than
Z_PRINTF_BUFZISE (= 4096 bytes), can overflow without giving a warning.

zlib-1.1.4 and earlier exhibit this behavior. There are no known exploits
of the gzprintf overrun, and only a few programs, including rpm2html
and gimp-print, are known to use the gzprintf function.

The problem has been fixed by checking the length of the output string
within gzprintf.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Please note that this update is available via Red Hat Network. To use Red
Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Enterprise Linux AS (v. 2.1)
SRPMS:
zlib-1.1.4-8.2.1AS.src.rpm     c12c6563b00692d065c940806fdf8baa
 
IA-32:
zlib-1.1.4-8.2.1AS.i386.rpm     7cf46927263db18468e5b39c66ce239c
zlib-devel-1.1.4-8.2.1AS.i386.rpm     bdd152ac5ee074e8106784369e131d2e
 
IA-64:
zlib-1.1.4-8.2.1AS.ia64.rpm     ffd6982d6731db18313d995dc524656c
zlib-devel-1.1.4-8.2.1AS.ia64.rpm     20ae528021f684c69742cdba0ad8cbac
 
Red Hat Enterprise Linux ES (v. 2.1)
SRPMS:
zlib-1.1.4-8.2.1AS.src.rpm     c12c6563b00692d065c940806fdf8baa
 
IA-32:
zlib-1.1.4-8.2.1AS.i386.rpm     7cf46927263db18468e5b39c66ce239c
zlib-devel-1.1.4-8.2.1AS.i386.rpm     bdd152ac5ee074e8106784369e131d2e
 
Red Hat Enterprise Linux WS (v. 2.1)
SRPMS:
zlib-1.1.4-8.2.1AS.src.rpm     c12c6563b00692d065c940806fdf8baa
 
IA-32:
zlib-1.1.4-8.2.1AS.i386.rpm     7cf46927263db18468e5b39c66ce239c
zlib-devel-1.1.4-8.2.1AS.i386.rpm     bdd152ac5ee074e8106784369e131d2e
 
Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor
SRPMS:
zlib-1.1.4-8.2.1AS.src.rpm     c12c6563b00692d065c940806fdf8baa
 
IA-64:
zlib-1.1.4-8.2.1AS.ia64.rpm     ffd6982d6731db18313d995dc524656c
zlib-devel-1.1.4-8.2.1AS.ia64.rpm     20ae528021f684c69742cdba0ad8cbac
 
(The unlinked packages above are only available from the Red Hat Network)

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0107

Keywords

buffer, gzprintf, overflow

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/