Vulnerability Note VU#142121

zlib "gzprintf()" function vulnerable to buffer overflow

Original Release date: 23 May 2003 | Last revised: 06 Jun 2008

Overview

A buffer overflow exists in one of the functions included with the zlib compression library. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial of service. An exploit for this vulnerability is publicly available.

Description

The zlib website describes zlib as a "...lossless data-compression library for use on virtually any computer hardware and operating system." A buffer overflow exists in the gzprintf function contained within the zlib compression library. For more detailed information, please see Richard Kettlewell's advisory.

Impact

A remote attacker may be able to execute code or cause a denial of service.

Solution

Apply a vendor patch.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Gentoo LinuxAffected-23 May 2003
IBM CorporationAffected23 May 200327 May 2003
Mandriva, Inc.Affected23 May 200308 Sep 2004
Mandriva, Inc.Affected-23 May 2003
NetBSDAffected23 May 200323 May 2003
OpenPKGAffected-23 May 2003
Openwall GNU/*/LinuxAffected23 May 200302 Jun 2003
Red Hat, Inc.Affected23 May 200327 May 2003
SCOAffected-23 May 2003
SUSE LinuxAffected23 May 200324 Jun 2003
Apple Computer, Inc.Not Affected23 May 200302 Jun 2003
Foundry Networks Inc.Not Affected23 May 200302 Jun 2003
FujitsuNot Affected23 May 200305 Jun 2003
HitachiNot Affected23 May 200314 Jul 2003
Xerox CorporationNot Affected23 May 200312 Jun 2003
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by Richard Kettlewell.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: CVE-2003-0107
  • Date Public: 22 Feb 2003
  • Date First Published: 23 May 2003
  • Date Last Updated: 06 Jun 2008
  • Severity Metric: 29.11
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.