NetBSD Information for VU#680620

zlib inflate() routine vulnerable to buffer overflow

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


NetBSD Security Note 20050708-1
===============================

Topic: NetBSD base system not vulnerable to zlib overflow
pkgsrc did provide vulnerable versions

A zlib buffer overflow has been announced.

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2096

The NetBSD Security Officer team was aware of this issue, and would
like to reassure users that the NetBSD base system is not vulnerable.

The bug was introduced in changes to zlib after 1.1.4, the latest
version supplied in the base install of NetBSD.

The vulnerable version, 1.2.2 has been available from pkgsrc.

Users of the audit-packages tool will already have noticed that version
is marked as vulnerable, and the 1.2.2nb1 update addresses the issue.

Other pkgsrc users are encouraged to update devel/zlib to 1.2.2nb1, as
well as to take advantage of the security/audit-packages infrastructure.


Thanks To
=========

Tavis Ormandy
Colin Percival
Mark Adler
Matthias Drochner
Matthias Scheler

More Information
================

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.

Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SN20050708-1.txt,v 1.1 2005/07/08 15:54:11 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iQCVAwUBQs6+TD5Ru2/4N2IFAQI9HAQAvT7R6nDbr+xDroAXYkZrs2zdI9gkIStc
UswbbKNP1G8D90h4nIKrXtvNyG+e4squRtawLB06Fylu+OkielUWeTPIzzwmef0V
qWqWBxg1EWM2WigyDS/SmA6lrQt+dgJ4bfX0IiwakBItdM6v5yScB9svI4qi0aNl
n8+PU7IvbGU=
=PWU8
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us email.