Bug 131385

Summary: CAN-2004-0797: inflate() and inflateBack() functions don't properly handle errors
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: zlibAssignee: Jeff Johnson <jbj>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: b-nordquist, bressers, rh-bugzilla, wtogami
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0797
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-29 04:15:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 145267    
Attachments:
Description Flags
zlib-1.2.1.1-inflate.patch none

Description Robert Scheck 2004-08-31 20:18:06 UTC 
Description of problem:
A vulnerability was reported in zlib. A remote user can cause denial 
of service conditions. Johan Thelmen reported that a specially 
crafted file can cause a segmentation fault in zlib. It is reported 
that the inflate() and inflateBack() functions do not properly handle  
errors. A user can create a file that when processed by zlib, will 
cause a segmentation fault. The specific impact depends on the 
application using zlib.

Have also a look to:
  http://www.securitytracker.com/alerts/2004/Aug/1011085.html

Version-Release number of selected component (if applicable):
zlib-1.2.1.1-3

Actual results:
I attached a patch which should solve the issue.

Expected results:
Fix of this issue for all affected versions ;-)

Additional info:
The patch originally is from Debian.
Comment 1 Robert Scheck 2004-08-31 20:19:38 UTC 
Created attachment 103317 [details]
zlib-1.2.1.1-inflate.patch
Comment 2 Robert Scheck 2004-08-31 20:31:36 UTC 
It seems so, that only Fedora Core 1, 2 and Development are affected 
of this issue. Red Hat Enterprise Linux 3 has the older 1.1.4 which 
not seems to be affected, but maybe you should check this.
Comment 3 Mark J. Cox 2004-09-01 08:20:54 UTC 
Correct, 1.1* is unaffected.
Comment 4 Mark J. Cox 2004-09-01 08:21:36 UTC 
*** Bug 131395 has been marked as a duplicate of this bug. ***
Comment 5 Robert Scheck 2004-09-11 13:14:10 UTC 
Hey, what's up - why isn't the patch for the CAN included...does it 
hurt someone?!
Comment 6 Jeff Johnson 2004-09-14 11:28:48 UTC 
zlib-1.2.1.2-1 built in fc3; fc1 and fc2 need doing too.
Comment 7 Jeff Johnson 2004-09-21 13:26:31 UTC 
-0.fc1 and -0.fc2 now bult.
Comment 8 Mark J. Cox 2004-10-07 09:30:00 UTC 
Did the FC2 update get pushed and announcements sent?  I don't see it
on the update site or on fedora-announce-list.
Comment 9 Mark J. Cox 2004-11-03 12:33:30 UTC 
Ping, no announcement has gone out to fedora-announce-list about this
issue.
Comment 10 Robert Scheck 2004-11-03 18:30:42 UTC 
This bug is neither a FC3 nor a FC4 target bug, it's a open issue 
only for FC2 now - and thank you for sleeping such long, now FC1 
isn't supported any longer. Maybe Warren should be added for a Legacy 
update... :-(
Comment 11 Mark J. Cox 2004-11-09 09:57:10 UTC 
fc2 update still not pushed to
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/SRPMS/
Comment 12 Robert Scheck 2004-12-16 22:28:39 UTC 
Could we please get this update for FC2 at least as christmas present? 
I don't want to find it as easter egg... ;-)
Comment 13 Enrico Scholz 2005-01-28 20:21:06 UTC 
what is the state of this bug?  Is it really impossible to fix a security
relevant bug within 5 months?
Comment 14 Robert Scheck 2005-01-28 21:06:29 UTC 
My last hope is, that Fedora Legacy fixes this security issue in May 
2005, when the outdated Fedora Core 2 is transfered to it...
Comment 15 Josh Bressers 2005-01-29 04:15:03 UTC 
Released as FEDORA-2005-095.
Comment 16 Warren Togami 2005-01-29 06:59:40 UTC 
According to jbj rebuilding these packages, even the one in FC4, should work
fine in earlier distributions.  It should be trivial for Legacy to issue updates
after proper testing.