Gentoo Linux Security Advisory

Title: Perl Compress::Raw modules: Denial of Service ([عزيزي الزائر يتوجب عليك التسجيل لمشاهدة الرابط للتسجيل اضغط هنا])
Severity: normal
Exploitable: remote
Date: August 18, 2009
Bug(s): [عزيزي الزائر يتوجب عليك التسجيل لمشاهدة الرابط للتسجيل اضغط هنا], [عزيزي الزائر يتوجب عليك التسجيل لمشاهدة الرابط للتسجيل اضغط هنا]
ID: 200908-07

Synopsis


An off-by-one error in Compress::Raw::Zlib and Compress::Raw::Bzip2 might
lead to a Denial of Service.


Background


Compress::Raw::Zlib and Compress::Raw::Bzip2 are Perl low-level
interfaces to the zlib and bzip2 compression libraries.


Affected Packages

Package: perl-core/Compress-Raw-Zlib
Vulnerable: < 2.020
Unaffected: >= 2.020
Architectures: All supported architectures

Package: perl-core/Compress-Raw-Bzip2
Vulnerable: < 2.020
Unaffected: >= 2.020
Architectures: All supported architectures


De******ion


Leo Bergolth reported an off-by-one error in the inflate() function in
Zlib.xs of Compress::Raw::Zlib, possibly leading to a heap-based buffer
overflow (CVE-2009-1391).

Paul Marquess discovered a similar vulnerability in the bzinflate()
function in Bzip2.xs of Compress::Raw::Bzip2 (CVE-2009-1884).


Impact


A remote attacker might entice a user or automated system (for instance
running SpamAssassin or AMaViS) to process specially crafted files,
possibly resulting in a Denial of Service condition.


Workaround


There is no known workaround at this time.


Resolution


All Compress::Raw::Zlib users should upgrade to the latest version:
Code: # emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/Compress-Raw-Zlib-2.020"
All Compress::Raw::Bzip2 users should upgrade to the latest version:
Code: # emerge --sync
# emerge --ask --oneshot --verbose ">=perl-core/Compress-Raw-Bzip2-2.020"

References