Overview

A buffer overflow in the zlib compression library may cause any application linked to zlib to improperly and immediately terminate.

Description

There is a buffer overflow in the zlib data-compression library caused by a lack of bounds checking in the inflate() routine. If an attacker supplies the inflate()routine with a specially crafted compressed data stream, that attacker may be able to trigger the buffer overflow causing any application linked to zlib, or incorporating zlib code to crash. According to reports, the buffer overflow is caused by a specific input stream and results in a constant value being written into an arbitrary memory location. This vulnerability may be exploited locally or remotely depending on the application being attacked.

This vulnerability only affects zlib versions 1.2.1 and 1.2.2.

---

Impact

A remote attacker be able to exploit this vulnerability by supplying the inflate() routine with specially crafted compressed data. As a result, applications linked to the zlib library may abruptly and abnormally terminate resulting in a denial-of-service condition. According to public reports, this vulnerability can be exploited to execute arbitrary code, but we have not confirmed this.

---

Solution

Apply patches from your vendor

The zlib compression library is freely available and used by many vendors in a wide variety of applications. As a result, any one of these applications may contain this vulnerabilitiy. Users are encouraged to contact their vendors to determine if they are vulnerable and what action to take.

---

Vendor Information

680620

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

CVS Home __ Affected

Updated: October 05, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

From the CVS version 1.12.13 NEWS file:

CVS now uses version 1.2.3 of the ZLib compression libraries in order to avoid two recently announced security vulnerabilities in them. Both may be used for denial of service attacks and one may reportedly allow execution of arbitrary code, though this is not confirmed. Please see the CERT vulnerabilities advisories #238678 <``<http://www.kb.cert.org/vuls/id/238678>``> & #680620 <``<http://www.kb.cert.org/vuls/id/680620>``> for more.

Note that according to CVS HOME, CVS development and the CVS information pages have moved to <http://www.nongnu.org/cvs/&gt;.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Gentoo __ Affected

Updated: July 13, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://www.gentoo.org/security/en/glsa/glsa-200507-05.xml&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Mandriva, Inc. __ Affected

Notified: July 11, 2005 Updated: July 11, 2005

Status

Affected

Vendor Statement

Mandriva has released updated packages to correct the zlib vulnerability. For more information view the MDKSA-2005:112 advisory.

<http://www.mandriva.com/security/advisories?name=MDKSA-2005:112&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. __ Affected

Notified: July 11, 2005 Updated: July 11, 2005

Status

Affected

Vendor Statement

Vendor statement; Red Hat:

This issue affected Red Hat Enterprise Linux 4. Updated packages were made available on July 6th along with our advisory at the URL below. Red
Hat Enterprise Linux 2.1 and 3 were not affected by this issue as they shipped a version of zlib not affected by this issue.

<http://rhn.redhat.com/errata/RHSA-2005-569.html&gt;

Vendor statement; Fedora Project:

Updated zlib packages are available for Fedora Core 3 and Fedora Core 4:

<http://www.redhat.com/archives/fedora-announce-list/2005-July/msg00017.html&gt;
<http://www.redhat.com/archives/fedora-announce-list/2005-July/msg00016.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Foundry Networks Inc. __ Not Affected

Notified: July 11, 2005 Updated: July 13, 2005

Status

Not Affected

Vendor Statement

Foundry is not vulnerable to this DoS vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Juniper Networks, Inc. __ Not Affected

Notified: July 11, 2005 Updated: July 22, 2005

Status

Not Affected

Vendor Statement

Juniper Networks products are not susceptible to this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Microsoft Corporation __ Not Affected

Notified: July 11, 2005 Updated: July 12, 2005

Status

Not Affected

Vendor Statement

Our initial investigation has revealed that currently supported versions of Microsoft Windows are not at risk from this vulnerability.

Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

NetBSD __ Not Affected

Notified: July 11, 2005 Updated: July 11, 2005

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetBSD Security Note 20050708-1

Topic:NetBSD base system not vulnerable to zlib overflow
pkgsrc did provide vulnerable versions

A zlib buffer overflow has been announced.

<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2096&gt;

The NetBSD Security Officer team was aware of this issue, and would
like to reassure users that the NetBSD base system is not vulnerable.

The bug was introduced in changes to zlib after 1.1.4, the latest
version supplied in the base install of NetBSD.

The vulnerable version, 1.2.2 has been available from pkgsrc.

Users of the audit-packages tool will already have noticed that version
is marked as vulnerable, and the 1.2.2nb1 update addresses the issue.

Other pkgsrc users are encouraged to update devel/zlib to 1.2.2nb1, as
well as to take advantage of the security/audit-packages infrastructure.

Thanks To

Tavis Ormandy
Colin Percival
Mark Adler
Matthias Drochner
Matthias Scheler

More Information

Information about NetBSD and NetBSD security can be found at
<http://www.NetBSD.org/&gt; and <http://www.NetBSD.org/Security/&gt;.

Copyright 2005, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SN20050708-1.txt,v 1.1 2005/07/08 15:54:11 david Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iQCVAwUBQs6+TD5Ru2/4N2IFAQI9HAQAvT7R6nDbr+xDroAXYkZrs2zdI9gkIStc
UswbbKNP1G8D90h4nIKrXtvNyG+e4squRtawLB06Fylu+OkielUWeTPIzzwmef0V
qWqWBxg1EWM2WigyDS/SmA6lrQt+dgJ4bfX0IiwakBItdM6v5yScB9svI4qi0aNl
n8+PU7IvbGU=
=PWU8
-----END PGP SIGNATURE-----

`

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Openwall GNU/*/Linux __ Not Affected

Notified: July 11, 2005 Updated: July 12, 2005

Status

Not Affected

Vendor Statement

Openwall GNU/*/Linux (Owl) has never used a version of zlib affected by this vulnerability. We’re currently using zlib 1.1.4.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

TurboLinux __ Not Affected

Notified: July 11, 2005 Updated: July 12, 2005

Status

Not Affected

Vendor Statement

Please refer to the following URL:

English

<http://www.turbolinux.com/security/2005/TLSA-2005-77.txt&gt;

Japanese

<http://www.turbolinux.co.jp/security/2005/TLSA-2005-77j.txt&gt;

Other products are “Not Vulnerable”.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

--------------------------------------------------------------------------
Turbolinux Security Advisory TLSA-2005-77
<http://www.turbolinux.co.jp/security/&gt;
[email protected]
--------------------------------------------------------------------------

Original released date: 11 Jul 2005
Last revised: 11 Jul 2005

Package: zlib

Summary: Buffer overflow

More information:
Zlib is a widely used compression and decompression library.
A buffer overflow vulnerability exists in zlib.

Impact:
The zlib allows attackers to cause a denial of service via a crafted file.

Affected Products:
- Turbolinux 10 Server

Solution:
Please use the turbopkg (zabom) tool to apply the update.
---------------------------------------------

turbopkg

or

zabom -u zlib zlib-devel

---------------------------------------------

<Turbolinux 10 Server>

Source Packages
Size: MD5

<ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/SRPMS/zlib-1.2.1-4.src.rpm&gt;
293562 ccc7c91245fd4915b9c437df5d8507b2

Binary Packages
Size: MD5

<ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/zlib-1.2.1-4.i586.rpm&gt;
65883 db85def8bf7e2c4056bcaae7335f03ab
<ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/zlib-debug-1.2.1-4.i586.rpm&gt;
125754 6588b66e89375b9ec9df6c1753628c42
<ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/10/updates/RPMS/zlib-devel-1.2.1-4.i586.rpm&gt;
61584 4884c0ca20644d34ddb339549187dedb

References:

CVE
[CAN-2005-2096]
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096&gt;

--------------------------------------------------------------------------
Revision History
11 Jul 2005 Initial release
--------------------------------------------------------------------------

Copyright© 2005 Turbolinux, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFC0hzrK0LzjOqIJMwRAl71AJ9NoBH54Un8KGxnmYI1+y5iXwE+hwCdFUm+
IukMopqTxoX+N6V7G+pBevM=
=PPTv
-----END PGP SIGNATURE-----

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

3Com __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

AT&T __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Alcatel __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Apple Computer, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Avaya __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Avici Systems Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Borderware __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Check Point __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Chiaro Networks __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Cisco Systems, Inc. Unknown

Notified: August 31, 2005 Updated: August 31, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cisco Systems, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Clavister __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Computer Associates __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Cray Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Cwnt __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Data Connection __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Debian Linux __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

EMC Corporation __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Engarde __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Extreme Networks __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

F5 Networks, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Force10 Networks Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Fortinet __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

FreeBSD, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

FreeBSD 5.3 and FreeBSD 5.4 are affected by this issue. It was addressed in the security advisory FreeBSD-SA-05:16.zlib, which provides instructions on how to correct the problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-05:16.zlib Security Advisory
The FreeBSD Project

Topic: Buffer overflow in zlib

Category: core
Module: libz
Announced: 2005-07-06
Credits: Tavis Ormandy
Affects: FreeBSD 5.3, FreeBSD 5.4
Corrected: 2005-07-06 14:01:11 UTC (RELENG_5, 5.4-STABLE)
2005-07-06 14:01:30 UTC (RELENG_5_4, 5.4-RELEASE-p4)
2005-07-06 14:01:52 UTC (RELENG_5_3, 5.3-RELEASE-p18)
CVE Name: CAN-2005-2096

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:<http://www.freebsd.org/security/&gt;&gt;.

I. Background

zlib is a compression library used by numerous applications to provide
data compression/decompression routines.

II. Problem Description

An error in the handling of corrupt compressed data streams can result
in a buffer being overflowed.

III. Impact

By carefully crafting a corrupt compressed data stream, an attacker can
overwrite data structures in a zlib-using application. This may cause
the application to halt, causing a denial of service; or it may result
in the attacker gaining elevated privileges.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1. Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 or
   RELENG_5_3 security branch dated after the correction date.

2. To patch your present system:

The following patch has been verified to apply to FreeBSD 5.3 and 5.4
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

fetch <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:16/zlib.patch&gt;

fetch <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:16/zlib.patch.asc&gt;

b) Execute the following commands as root:

cd /usr/src

patch < /path/to/patch

cd /usr/src/lib/libz/

make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path

---

RELENG_5
src/lib/libz/inftrees.c 1.4.2.2
RELENG_5_4
src/UPDATING 1.342.2.24.2.13
src/sys/conf/newvers.sh 1.62.2.18.2.9
src/lib/libz/inftrees.c 1.4.6.1
RELENG_5_3
src/UPDATING 1.342.2.13.2.21
src/sys/conf/newvers.sh 1.62.2.15.2.23
src/lib/libz/inftrees.c 1.4.4.1

---

VII. References

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096&gt;

The latest revision of this advisory is available at
<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16.zlib.asc&gt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCy+TYFdaIBMps37IRAqB2AJ4j+wdqj1zJJZdTjskufo7rrsHhcwCgi0SZ
wXRUgGbgl/DtNzyvHi7t/bc=
=anun
-----END PGP SIGNATURE-----
`

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Fujitsu __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

GTA __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Hewlett-Packard Company __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Hitachi __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Hyperchip __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

IBM Corporation __ Unknown

Notified: July 11, 2005 Updated: August 09, 2005

Status

Unknown

Vendor Statement

The AIX operating system is not vulnerable to the issues discussed in Vulnerability Note VU#680620. However, zlib is available for installation on AIX via the AIX Toolbox for Linux. These items are shipped “as is” and are unwarranted. A patched version of the zlib library can be downloaded from:

<ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/zlib/zlib-1.2.2-4.aix5.1.ppc.rpm&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

IBM eServer __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

IBM-zSeries __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

IPf __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

ISS __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Immunix __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Ingrian Networks, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Inoto __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Intel __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Linksys __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Lucent Technologies __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Luminous __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Mandriva, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

MontaVista Software, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Multi-Tech Systems Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Multinet __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

NEC Corporation __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Netfilter __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Network Appliance __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

NextHop __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Nortel Networks, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Novell, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

OpenBSD __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

QNX __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Redback Networks Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Riverstone Networks __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

SGI __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

SUSE Linux __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Secure Computing Corporation __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

SecureWorks __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Sequent Computer Systems, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Sony Corporation __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Stonesoft __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Sun Microsystems, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Symantec Corporation __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

The SCO Group (SCO Linux) __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

The SCO Group (SCO Unix) __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Unisys __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

WatchGuard __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Wind River Systems, Inc. __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

Zlib.org __ Unknown

Notified: July 06, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

ZyXEL __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

eSoft __ Unknown

Notified: July 11, 2005 Updated: July 11, 2005

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

We have no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23680620 Feedback>).

View all 82 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16.zlib.asc&gt;
• <https://rhn.redhat.com/errata/RHSA-2005-569.html&gt;
• <http://secunia.com/advisories/15949/&gt;
• <http://dev.gentoo.org/~taviso/blog/#e2005-07-21T17_24_15.txt&gt;
• <http://secunia.com/advisories/24788&gt;
• http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=3616065
• http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=9916286

Acknowledgements

This vulnerability was reported by Mark Adler.

This document was written by Jeff Gennari.

Other Information

CVE IDs:	CVE-2005-2096
Severity Metric:	9.45 Date Public: