Red Hat Bugzilla – Bug 131385
CAN-2004-0797: inflate() and inflateBack() functions don't properly handle errors
Last modified: 2007-11-30 17:10:48 EST
Description of problem:
A vulnerability was reported in zlib. A remote user can cause denial
of service conditions. Johan Thelmen reported that a specially
crafted file can cause a segmentation fault in zlib. It is reported
that the inflate() and inflateBack() functions do not properly handle
errors. A user can create a file that when processed by zlib, will
cause a segmentation fault. The specific impact depends on the
application using zlib.
Have also a look to:
Version-Release number of selected component (if applicable):
I attached a patch which should solve the issue.
Fix of this issue for all affected versions ;-)
The patch originally is from Debian.
Created attachment 103317 [details]
It seems so, that only Fedora Core 1, 2 and Development are affected
of this issue. Red Hat Enterprise Linux 3 has the older 1.1.4 which
not seems to be affected, but maybe you should check this.
Correct, 1.1* is unaffected.
*** Bug 131395 has been marked as a duplicate of this bug. ***
Hey, what's up - why isn't the patch for the CAN included...does it
zlib-188.8.131.52-1 built in fc3; fc1 and fc2 need doing too.
-0.fc1 and -0.fc2 now bult.
Did the FC2 update get pushed and announcements sent? I don't see it
on the update site or on fedora-announce-list.
Ping, no announcement has gone out to fedora-announce-list about this
This bug is neither a FC3 nor a FC4 target bug, it's a open issue
only for FC2 now - and thank you for sleeping such long, now FC1
isn't supported any longer. Maybe Warren should be added for a Legacy
fc2 update still not pushed to
Could we please get this update for FC2 at least as christmas present?
I don't want to find it as easter egg... ;-)
what is the state of this bug? Is it really impossible to fix a security
relevant bug within 5 months?
My last hope is, that Fedora Legacy fixes this security issue in May
2005, when the outdated Fedora Core 2 is transfered to it...
Released as FEDORA-2005-095.
According to jbj rebuilding these packages, even the one in FC4, should work
fine in earlier distributions. It should be trivial for Legacy to issue updates
after proper testing.