|
 |
| Sat, May 17th | home | browse | articles | contact | chat | submit | faq | newsletter | about | stats | scoop | 23:39 PDT |
|
|
login « register « recover password « |
|
|
|
Zlib is a general-purpose lossless data compression library that is used by many different programs. A previous zlib update fixed a flaw in zlib that could allow a carefully crafted compressed stream to crash an application. While the original patch corrected the reported overflow, Markus Oberhumer discovered additional ways a stream could trigger an overflow. An attacker could create a carefully crafted compressed stream that would cause an application to crash if the stream is opened by a user. As an example, an attacker could create a malicious PNG image file that would cause a Web browser or mail viewer to crash if the image is viewed. Fixed packages are available from updates.redhat.com. Links: updates.redhat.com [Comments are disabled]
Markus Oberhumer discovered a flaw in the way zlib, a library used for file compression and decompression, handles invalid input. This flaw can cause programs which use zlib to crash when opening an invalid file. Fixed packages are available from security.debian.org. Links: security.debian.org [Comments are disabled]
A denial of service condition was fixed in the zlib library. Any program using zlib to decompress data can be crashed by a specially handcrafted invalid data stream. This includes web browsers or email programs able to view PNG images (which are compressed by zlib), allowing remote attackers to crash browser sessions or potentially anti virus programs using this vulnerability. Fixed packages are available from ftp.suse.com. Links: ftp.suse.com [Comments are disabled]
Zlib is a general-purpose lossless data compression library which is used by many different programs. Tavis Ormandy discovered a buffer overflow affecting Zlib version 1.2 and above. An attacker could create a carefully crafted compressed stream that would cause an application to crash if the stream is opened by a user. As an example, an attacker could create a malicious PNG image file which would cause a web browser or mail viewer to crash if the image is viewed. Fixed packages are available from updates.redhat.com. Links: updates.redhat.com [Comments are disabled]
An error in the way zlib handles the inflation of certain compressed files can cause a program which uses zlib to crash when opening an invalid file. Fixed packages are available from security.debian.org . Links: security.debian.org [Comments are disabled]
zlib is a widely used data compression library. Programs linked against it include most desktop applications as well as servers such as Apache and OpenSSH. The 'inflate' function of zlib handles certain input data incorrectly which could lead to a denial of service condition for programs using it with untrusted data. Whether the vulnerability can be exploided locally or remotely depends on the application using it. Fixed packages can be obtained from ftp.suse.com Links: ftp.suse.com [Comments are disabled]
Zlib is a general-purpose, patent-free, lossless data compression library used by many different programs. The function gzprintf within zlib, when called with a string longer than Z_PRINTF_BUFZISE (= 4096 bytes), can overflow without giving a warning. zlib-1.1.4 and earlier exhibit this behavior. There are no known exploits of the gzprintf overrun, and only a few programs, including rpm2html and gimp-print, are known to use the gzprintf function. The problem has been fixed by checking the length of the output string within gzprintf. Fixed packages are available from updates.redhat.com. Links: updates.redhat.com [Comments are disabled]
So, you've just gotten a PalmOS-based PDA... now what? Here are some suggestions for Open Source Software/Free Software available for the Palm, grouped into the following topics: electronic books, games, miscellaneous software, and how to locate other software. I'll close with a few comments about the future of Palms. [Comments are disabled]
The compression library zlib has a flaw in which it attempts to free memory more than once under certain conditions. This can possibly be exploited to run arbitrary code in a program that includes zlib. If a network application running as root is linked to zlib, this could potentially lead to a remote root compromise. No exploits are known at this time. This vulnerability is assigned the CVE candidate name of CAN-2002-0059. Fixed packages are available from security.debian.org. Links: security.debian.org [Comments are disabled]
The zlib compression library is being used by many applications to provide data compression/decompression routines. An error in a decompression routine can corrupt the internal data structures of malloc by a double call to the free() function. If the data processed by the compression library is provided from an untrusted source, it may be possible for an attacker to interfere with the process using the zlib routines. The attack scenario includes a denial of service attack and memory/data disclosure, but it may also be possible to insert arbitrary code into the running program and to execute this code. This update fixes the known problems in the libz/zlib as a permanent fix. There exists no temporary workaround that can efficiently remedy the problem. Fixed packages are available from ftp.suse.com. Links: ftp.suse.com [Comments are disabled]
While performing tests on the gdk-pixbuf library, Matthias Clasen created an invalid PNG image that caused libpng to crash. Upon further investigation, this turned out to be a bug in zlib 1.1.3 where certain types of input will cause zlib to free the same area of memory twice (called a "double free"). This bug can be used to crash any program that takes untrusted compressed input. Web browsers or email programs that display image attachments or other programs that uncompress data are particularly affected. This vulnerability makes it easy to perform various denial-of-service attacks against such programs. Fixed packages are available from updates.redhat.com. Links: updates.redhat.com [Comments are disabled]
|
|
