Vulnerability Note VU#238678

The zlib compression library is vulnerable to a denial-of-service condition

Overview

Un-handled error conditions in the zlib compression library may allow an attacker to cause a denial-of-service condition.

I. Description

There is a vulnerability in the error handling mechanisms of the decompression functions in the zlib compression library. The decompression functions inflate() and inflateBack() fail to handle certain error conditions properly. If an un-handled error condition is raised, the application linked to zlib may abruptly and abnormally terminate. This vulnerability may be exploited locally or remotely depending on the application being attacked.

This issue exists in zlib versions 1.2.0.x and 1.2.x, other versions are not vulnerable.

II. Impact

A malicious user may be able to intentionally raise an un-handled error condition by supplying the vulnerable functions with specially crafted compressed data. As a result, applications linked to the zlib library may abruptly and abnormally terminate resulting in a denial-of-service condition.

III. Solution

Check with Vendor

Users who suspect they are vulnerable are encouraged to check with their vendor to determine the appropriate action to take. Please see the list of vendors we have notified below.

Systems Affected

Vendor	Status	Date Notified
3Com	Unknown	1-Sep-2004
Alcatel	Unknown	1-Sep-2004
AOL Time Warner	Unknown	13-Sep-2004
AppGate Network Security AB	Not Vulnerable	2-Sep-2004
Apple Computer Inc.	Not Vulnerable	17-Feb-2005
Aruba Networks	Not Vulnerable	13-Sep-2004
At&T	Unknown	1-Sep-2004
Avaya	Unknown	1-Sep-2004
Avici Systems Inc.	Unknown	1-Sep-2004
Bitvise	Not Vulnerable	13-Sep-2004
Brorderware	Unknown	1-Sep-2004
BSDI	Unknown	1-Sep-2004
Certicom	Not Vulnerable	9-Sep-2004
Check Point	Not Vulnerable	7-Sep-2004
Chiaro Networks	Not Vulnerable	2-Sep-2004
Cisco Systems	Unknown	31-Aug-2005
Cisco Systems Inc.	Unknown	2-Sep-2004
Clavister	Not Vulnerable	2-Sep-2004
Computer Associates	Unknown	1-Sep-2004
Conectiva	Unknown	1-Sep-2004
CovErt	Unknown	1-Sep-2004
Cray Inc.	Not Vulnerable	1-Sep-2004
cryptlib	Not Vulnerable	7-Sep-2004
Crypto++	Not Vulnerable	2-Sep-2004
CVS Home	Vulnerable	5-Oct-2005
Cwnt	Unknown	1-Sep-2004
Data Connection	Unknown	1-Sep-2004
Debian	Vulnerable	2-Sep-2004
Dlink	Unknown	1-Sep-2004
EMC Corporation	Unknown	1-Sep-2004
Engrade	Unknown	1-Sep-2004
eSoft	Not Vulnerable	2-Sep-2004
Extreme Networks	Not Vulnerable	16-Sep-2004
F5 Networks	Unknown	1-Sep-2004
FiSSH	Unknown	1-Sep-2004
Fortinet	Unknown	1-Sep-2004
Foundry Networks Inc.	Not Vulnerable	3-Sep-2004
FreeBSD	Not Vulnerable	13-Sep-2004
FreSSH	Unknown	1-Sep-2004
Fujitsu	Unknown	1-Sep-2004
GTA	Unknown	1-Sep-2004
Hewlett-Packard Company	Unknown	1-Sep-2004
Hitachi	Unknown	1-Sep-2004
Hyperchip	Unknown	1-Sep-2004
IAIK	Unknown	1-Sep-2004
IBM	Unknown	2-Sep-2004
IBM-zSeries	Unknown	1-Sep-2004
IMmunix	Unknown	1-Sep-2004
Ingrian Networks	Unknown	1-Sep-2004
Intel	Unknown	1-Sep-2004
Interpeak	Unknown	1-Sep-2004
Intersoft International Inc.	Not Vulnerable	2-Sep-2004
Intoto	Not Vulnerable	16-Sep-2004
IP Filter	Unknown	1-Sep-2004
Juniper Networks	Not Vulnerable	1-Sep-2004
Lachman	Unknown	1-Sep-2004
Libgcrypt	Not Vulnerable	13-Sep-2004
libpng.org	Vulnerable	2-Sep-2004
Linksys	Unknown	1-Sep-2004
lsh	Unknown	1-Sep-2004
Lucent Technologies	Unknown	1-Sep-2004
Luminous	Unknown	1-Sep-2004
MacSSH	Vulnerable	7-Sep-2004
MandrakeSoft	Unknown	1-Sep-2004
Microsoft Corporation	Unknown	1-Sep-2004
Mirapoint	Not Vulnerable	2-Sep-2004
MontaVista Software	Unknown	1-Sep-2004
Mozilla	Unknown	1-Sep-2004
Multi-Tech Systems Inc.	Unknown	1-Sep-2004
Multinet	Unknown	1-Sep-2004
NEC Corporation	Unknown	1-Sep-2004
NETBSD	Unknown	1-Sep-2004
NETcomposite	Unknown	1-Sep-2004
Netfilter	Unknown	1-Sep-2004
Netscape Communications Corporation	Unknown	1-Sep-2004
Netscape (AOL) NSS	Unknown	1-Sep-2004
NetScreen	Unknown	1-Sep-2004
Nettle	Unknown	1-Sep-2004
Network Applicance	Unknown	1-Sep-2004
NextHop	Not Vulnerable	1-Oct-2004
Nokia	Unknown	1-Sep-2004
Nortel Networks	Unknown	1-Sep-2004
Novell	Unknown	1-Sep-2004
OpenBSD	Unknown	1-Sep-2004
OpenSSH	Unknown	1-Sep-2004
OpenSSL	Unknown	1-Sep-2004
Openwall GNU/*/Linux	Not Vulnerable	15-Sep-2004
Oracle Corporation	Unknown	1-Sep-2004
Pragma Systems	Unknown	1-Sep-2004
Putty	Unknown	1-Sep-2004
Red Hat Inc.	Unknown	1-Sep-2004
Redback Networks Inc.	Unknown	1-Sep-2004
Riverstone Networks	Unknown	1-Sep-2004
RSA Security	Unknown	1-Sep-2004
SCO	Unknown	1-Sep-2004
Secure Computing Corporation	Unknown	1-Sep-2004
SecureWorks	Unknown	1-Sep-2004
Sequent	Unknown	1-Sep-2004
SGI	Unknown	1-Sep-2004
Sony Corporation	Unknown	1-Sep-2004
Spyrus	Unknown	1-Sep-2004
Stonesoft	Not Vulnerable	5-Oct-2004
Sun Microsystems Inc.	Not Vulnerable	27-Sep-2004
SuSE Inc.	Not Vulnerable	2-Sep-2004
Symantec Corporation	Unknown	1-Sep-2004
TTSSH/TeraTerm	Unknown	2-Sep-2004
TurboLinux	Unknown	1-Sep-2004
Unisys	Unknown	1-Sep-2004
VanDyke Software Inc.	Not Vulnerable	10-Sep-2004
WatchGuard	Unknown	1-Sep-2004
Wind River Systems Inc.	Unknown	1-Sep-2004
WinSCP	Unknown	1-Sep-2004
WRQ	Not Vulnerable	21-Sep-2004
Zlib.org	Vulnerable	3-Nov-2004
ZyXEL	Unknown	1-Sep-2004

References

http://secunia.com/advisories/11129/
http://www.openpkg.org/security/OpenPKG-SA-2004.038-zlib.html
http://www.linuxcompatible.org/story33484.html
http://www.securityfocus.com/archive/1/402119

Credit

This vulnerability was reported by OpenPKG.

We thank Mark Adler for providing information about this vulnerability.

This document was written by Jeff Gennari.

Other Information

Date Public:	2004-08-25
Date First Published:	2004-10-01
Date Last Updated:	2005-10-05
CERT Advisory:
CVE-ID(s):	CAN-2004-0797
NVD-ID(s):	CAN-2004-0797
US-CERT Technical Alerts:
Severity Metric:	0.66
Document Revision:	335

If you have feedback, comments, or additional information about this vulnerability, please send us email.