GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sat Aug 22, 2009 6:26 am Post subject: [ GLSA 200908-07 ] Perl Compress::Raw modules: Denial of Ser |
|
|
Gentoo Linux Security Advisory
Title: Perl Compress::Raw modules: Denial of Service (GLSA 200908-07)
Severity: normal
Exploitable: remote
Date: August 18, 2009
Bug(s): #273141, #281955
ID: 200908-07
Synopsis
An off-by-one error in Compress::Raw::Zlib and Compress::Raw::Bzip2 might
lead to a Denial of Service.
Background
Compress::Raw::Zlib and Compress::Raw::Bzip2 are Perl low-level
interfaces to the zlib and bzip2 compression libraries.
Affected Packages
Package: perl-core/Compress-Raw-Zlib
Vulnerable: < 2.020
Unaffected: >= 2.020
Architectures: All supported architectures
Package: perl-core/Compress-Raw-Bzip2
Vulnerable: < 2.020
Unaffected: >= 2.020
Architectures: All supported architectures
Description
Leo Bergolth reported an off-by-one error in the inflate() function in
Zlib.xs of Compress::Raw::Zlib, possibly leading to a heap-based buffer
overflow (CVE-2009-1391).
Paul Marquess discovered a similar vulnerability in the bzinflate()
function in Bzip2.xs of Compress::Raw::Bzip2 (CVE-2009-1884).
Impact
A remote attacker might entice a user or automated system (for instance
running SpamAssassin or AMaViS) to process specially crafted files,
possibly resulting in a Denial of Service condition.
Workaround
There is no known workaround at this time.
Resolution
All Compress::Raw::Zlib users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/Compress-Raw-Zlib-2.020" |
All Compress::Raw::Bzip2 users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/Compress-Raw-Bzip2-2.020" |
References
CVE-2009-1391
CVE-2009-1884
Last edited by GLSA on Tue Apr 08, 2014 4:30 am; edited 3 times in total |
|