SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#142121

zlib "gzprintf()" function vulnerable to buffer overflow

Overview

A buffer overflow exists in one of the functions included with the zlib compression library. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial of service. An exploit for this vulnerability is publicly available.

I. Description

The zlib website describes zlib as a "...lossless data-compression library for use on virtually any computer hardware and operating system." A buffer overflow exists in the gzprintf function contained within the zlib compression library. For more detailed information, please see Richard Kettlewell's advisory.

II. Impact

A remote attacker may be able to execute code or cause a denial of service.

III. Solution

Apply a vendor patch.

Systems Affected
VendorStatusDate NotifiedDate Updated
3ComUnknown23-May-2003
Adobe Systems IncorporatedUnknown23-May-2003
AlcatelUnknown23-May-2003
Apple Computer, Inc.Not Vulnerable2-Jun-2003
AT&TUnknown23-May-2003
AvayaUnknown23-May-2003
Berkeley Software Design, Inc.Unknown23-May-2003
Cisco Systems, Inc.Unknown23-May-2003
Computer AssociatesUnknown23-May-2003
Cray Inc.Unknown23-May-2003
D-Link SystemsUnknown23-May-2003
Data GeneralUnknown23-May-2003
Debian LinuxUnknown23-May-2003
EngardeUnknown23-May-2003
Extreme NetworksUnknown23-May-2003
F5 Networks, Inc.Unknown23-May-2003
Foundry Networks Inc.Not Vulnerable2-Jun-2003
FreeBSD, Inc.Unknown23-May-2003
FujitsuNot Vulnerable5-Jun-2003
Gentoo LinuxVulnerable23-May-2003
Hewlett-Packard CompanyUnknown23-May-2003
HitachiNot Vulnerable14-Jul-2003
IBM-zSeriesUnknown23-May-2003
IBM CorporationVulnerable27-May-2003
Ingrian Networks, Inc.Unknown23-May-2003
IntelUnknown23-May-2003
Juniper Networks, Inc.Unknown23-May-2003
LachmanUnknown23-May-2003
Lotus SoftwareUnknown23-May-2003
Lucent TechnologiesUnknown23-May-2003
Mandriva, Inc.Vulnerable8-Sep-2004
Mandriva, Inc.Vulnerable23-May-2003
Mandriva, Inc.Unknown23-May-2003
Microsoft CorporationUnknown23-May-2003
MontaVista Software, Inc.Unknown23-May-2003
Multi-Tech Systems Inc.Unknown23-May-2003
MultinetUnknown23-May-2003
NEC CorporationUnknown23-May-2003
NetBSDVulnerable23-May-2003
NetscreenUnknown23-May-2003
Network ApplianceUnknown23-May-2003
NeXTUnknown23-May-2003
NokiaUnknown23-May-2003
Nortel Networks, Inc.Unknown23-May-2003
OpenBSDUnknown23-May-2003
OpenPKGVulnerable23-May-2003
Openwall GNU/*/LinuxVulnerable2-Jun-2003
Oracle CorporationUnknown23-May-2003
Red Hat, Inc.Vulnerable27-May-2003
Riverstone NetworksUnknown23-May-2003
SCOVulnerable23-May-2003
Sequent Computer Systems, Inc.Unknown23-May-2003
SGIUnknown23-May-2003
Sony CorporationUnknown23-May-2003
Sun Microsystems, Inc.Unknown23-May-2003
SUSE LinuxVulnerable24-Jun-2003
UnisysUnknown23-May-2003
Wind River Systems, Inc.Unknown23-May-2003
WirexUnknown23-May-2003
Xerox CorporationNot Vulnerable12-Jun-2003
XpdfNot Vulnerable3-Jun-2003
ZyXELUnknown23-May-2003

References


http://www.gzip.org/zlib/
http://online.securityfocus.com/bid/6913
http://securityfocus.org/archive/1/312869
http://www.securityfocus.com/archive/1/312869
http://www.iss.net/security_center/static/11381.php
http://secunia.com/advisories/24788
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=3616065
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=9916286

Credit

This vulnerability was discovered by Richard Kettlewell.

This document was written by Ian A Finlay.

Other Information

Date Public:2003-02-22
Date First Published:2003-05-23
Date Last Updated:2008-06-06
CERT Advisory: 
CVE-ID(s):CVE-2003-0107
NVD-ID(s):CVE-2003-0107
US-CERT Technical Alerts: 
Metric:29.11
Document Revision:11

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader