Vulnerability Note VU#142121
zlib "gzprintf()" function vulnerable to buffer overflow
A buffer overflow exists in one of the functions included with the zlib compression library. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial of service. An exploit for this vulnerability is publicly available.
The zlib website describes zlib as a "...lossless data-compression library for use on virtually any computer hardware and operating system." A buffer overflow exists in the gzprintf function contained within the zlib compression library. For more detailed information, please see Richard Kettlewell's advisory.
A remote attacker may be able to execute code or cause a denial of service.
Apply a vendor patch.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Gentoo Linux||Affected||-||23 May 2003|
|IBM Corporation||Affected||23 May 2003||27 May 2003|
|Mandriva, Inc.||Affected||23 May 2003||08 Sep 2004|
|Mandriva, Inc.||Affected||-||23 May 2003|
|NetBSD||Affected||23 May 2003||23 May 2003|
|OpenPKG||Affected||-||23 May 2003|
|Openwall GNU/*/Linux||Affected||23 May 2003||02 Jun 2003|
|Red Hat, Inc.||Affected||23 May 2003||27 May 2003|
|SCO||Affected||-||23 May 2003|
|SUSE Linux||Affected||23 May 2003||24 Jun 2003|
|Apple Computer, Inc.||Not Affected||23 May 2003||02 Jun 2003|
|Foundry Networks Inc.||Not Affected||23 May 2003||02 Jun 2003|
|Fujitsu||Not Affected||23 May 2003||05 Jun 2003|
|Hitachi||Not Affected||23 May 2003||14 Jul 2003|
|Xerox Corporation||Not Affected||23 May 2003||12 Jun 2003|
CVSS Metrics (Learn More)
This vulnerability was discovered by Richard Kettlewell.
This document was written by Ian A Finlay.
- CVE IDs: CVE-2003-0107
- Date Public: 22 Feb 2003
- Date First Published: 23 May 2003
- Date Last Updated: 06 Jun 2008
- Severity Metric: 29.11
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.