SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#142121

zlib "gzprintf()" function vulnerable to buffer overflow

Overview

A buffer overflow exists in one of the functions included with the zlib compression library. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial of service. An exploit for this vulnerability is publicly available.

I. Description

The zlib website describes zlib as a "...lossless data-compression library for use on virtually any computer hardware and operating system." A buffer overflow exists in the gzprintf function contained within the zlib compression library. For more detailed information, please see Richard Kettlewell's advisory.

II. Impact

A remote attacker may be able to execute code or cause a denial of service.

III. Solution

Apply a vendor patch.

Systems Affected
VendorStatusDate NotifiedDate Updated
3ComUnknown23-May-2003
Adobe Systems IncorporatedUnknown23-May-2003
AlcatelUnknown23-May-2003
Apple Computer, Inc.Not Vulnerable2-Jun-2003
AT&TUnknown23-May-2003
AvayaUnknown23-May-2003
Berkeley Software Design, Inc.Unknown23-May-2003
Cisco Systems, Inc.Unknown23-May-2003
Computer AssociatesUnknown23-May-2003
Cray Inc.Unknown23-May-2003
D-Link SystemsUnknown23-May-2003
Data GeneralUnknown23-May-2003
Debian LinuxUnknown23-May-2003
EngardeUnknown23-May-2003
Extreme NetworksUnknown23-May-2003
F5 Networks, Inc.Unknown23-May-2003
Foundry Networks Inc.Not Vulnerable2-Jun-2003
FreeBSD, Inc.Unknown23-May-2003
FujitsuNot Vulnerable5-Jun-2003
Gentoo LinuxVulnerable23-May-2003
Hewlett-Packard CompanyUnknown23-May-2003
HitachiNot Vulnerable14-Jul-2003
IBM-zSeriesUnknown23-May-2003
IBM CorporationVulnerable27-May-2003
Ingrian Networks, Inc.Unknown23-May-2003
IntelUnknown23-May-2003
Juniper Networks, Inc.Unknown23-May-2003
LachmanUnknown23-May-2003
Lotus SoftwareUnknown23-May-2003
Lucent TechnologiesUnknown23-May-2003
Mandriva, Inc.Vulnerable8-Sep-2004
Mandriva, Inc.Vulnerable23-May-2003
Mandriva, Inc.Unknown23-May-2003
Microsoft CorporationUnknown23-May-2003
MontaVista Software, Inc.Unknown23-May-2003
Multi-Tech Systems Inc.Unknown23-May-2003
MultinetUnknown23-May-2003
NEC CorporationUnknown23-May-2003
NetBSDVulnerable23-May-2003
NetscreenUnknown23-May-2003
Network ApplianceUnknown23-May-2003
NeXTUnknown23-May-2003
NokiaUnknown23-May-2003
Nortel Networks, Inc.Unknown23-May-2003
OpenBSDUnknown23-May-2003
OpenPKGVulnerable23-May-2003
Openwall GNU/*/LinuxVulnerable2-Jun-2003
Oracle CorporationUnknown23-May-2003
Red Hat, Inc.Vulnerable27-May-2003
Riverstone NetworksUnknown23-May-2003
SCOVulnerable23-May-2003
Sequent Computer Systems, Inc.Unknown23-May-2003
SGIUnknown23-May-2003
Sony CorporationUnknown23-May-2003
Sun Microsystems, Inc.Unknown23-May-2003
SUSE LinuxVulnerable24-Jun-2003
UnisysUnknown23-May-2003
Wind River Systems, Inc.Unknown23-May-2003
WirexUnknown23-May-2003
Xerox CorporationNot Vulnerable12-Jun-2003
XpdfNot Vulnerable3-Jun-2003
ZyXELUnknown23-May-2003

References

http://www.gzip.org/zlib/
http://online.securityfocus.com/bid/6913
http://securityfocus.org/archive/1/312869
http://www.securityfocus.com/archive/1/312869
http://www.iss.net/security_center/static/11381.php
http://secunia.com/advisories/24788
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=3616065
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=9916286

Credit

This vulnerability was discovered by Richard Kettlewell.

This document was written by Ian A Finlay.

Other Information

Date Public:2003-02-22
Date First Published:2003-05-23
Date Last Updated:2008-06-06
CERT Advisory: 
CVE-ID(s):CVE-2003-0107
NVD-ID(s):CVE-2003-0107
US-CERT Technical Alerts: 
Severity Metric:29.11
Document Revision:11

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get a PDF Reader