[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

On Mon, Mar 11, 2002 at 10:16:35PM -0500, Matt Zimmerman wrote:

> I have some scripts which I used to find the above packages, which I plan to
> run on unstable very soon.  I will post the results here for discussion
> about filing of bugs.

Here are the results.  I have not investigated these packages any further,
as I don't have the time.  Many of these already have bugs reported.

(I will take care of user-mode-linux)

pool/main/a/aide/aide_0.8-1_i386.deb
/usr/bin/aide: zlib configuration table, little endian, 32 bit
/usr/bin/aide: zlib inflate table, little endian
/usr/bin/aide: 8 out of 8 text messages
/usr/bin/aide: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/bin/aide: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "

pool/main/a/amaya/amaya-gtk_5.3-3_i386.deb
/usr/lib/Amaya/applis/bin/print: zlib configuration table, little endian, 32 bit
/usr/lib/Amaya/applis/bin/print: zlib inflate table, little endian
/usr/lib/Amaya/applis/bin/print: 8 out of 8 text messages
/usr/lib/Amaya/applis/bin/print: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/lib/Amaya/applis/bin/print: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "
/usr/lib/Amaya/applis/gtk/amaya: zlib configuration table, little endian, 32 bit
/usr/lib/Amaya/applis/gtk/amaya: zlib inflate table, little endian
/usr/lib/Amaya/applis/gtk/amaya: 8 out of 8 text messages
/usr/lib/Amaya/applis/gtk/amaya: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/lib/Amaya/applis/gtk/amaya: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "

pool/main/a/amaya/amaya-lesstif_5.3-3_i386.deb
/usr/lib/Amaya/applis/lesstif/amaya: zlib configuration table, little endian, 32 bit
/usr/lib/Amaya/applis/lesstif/amaya: zlib inflate table, little endian
/usr/lib/Amaya/applis/lesstif/amaya: 8 out of 8 text messages
/usr/lib/Amaya/applis/lesstif/amaya: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/lib/Amaya/applis/lesstif/amaya: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "

pool/main/c/cfitsio/cfitsio-dev_2.401-1_i386.deb
/usr/lib/libcfitsio.a: 1 out of 8 text messages

pool/main/c/cfitsio/cfitsio2_2.401-1_i386.deb
/usr/lib/libcfitsio.so.2.401: 1 out of 8 text messages

pool/main/c/cloop/cloop-utils_0.63-2_i386.deb
/usr/bin/create_compressed_fs: zlib configuration table, little endian, 32 bit
/usr/bin/create_compressed_fs: 1 out of 8 text messages
/usr/bin/create_compressed_fs: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "
/usr/bin/extract_compressed_fs: zlib inflate table, little endian
/usr/bin/extract_compressed_fs: 8 out of 8 text messages
/usr/bin/extract_compressed_fs: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "

pool/main/d/dict-gcide/dict-web1913_1.4-0.47pd-4_all.deb
/usr/bin/dictzip: zlib configuration table, little endian, 32 bit
/usr/bin/dictzip: zlib inflate table, little endian
/usr/bin/dictzip: 8 out of 8 text messages
/usr/bin/dictzip: inflate version: "1.0.4 Copyright 1995-1996 Mark Adler "
/usr/bin/dictzip: deflate version: "1.0.4 Copyright 1995-1996 Jean-loup Gailly "

pool/main/d/dictd/dictd_1.5.5-8_i386.deb
/usr/sbin/dictd: zlib inflate table, little endian
/usr/sbin/dictd: 8 out of 8 text messages
/usr/sbin/dictd: inflate version: "1.0.4 Copyright 1995-1996 Mark Adler "

pool/main/d/dpkg/dpkg_1.9.19_i386.deb
/usr/bin/dpkg-deb: zlib configuration table, little endian, 32 bit
/usr/bin/dpkg-deb: zlib inflate table, little endian
/usr/bin/dpkg-deb: 8 out of 8 text messages
/usr/bin/dpkg-deb: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/bin/dpkg-deb: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "

pool/main/d/dump/dump_0.4b27-2_i386.deb
/sbin/dump: zlib configuration table, little endian, 32 bit
/sbin/dump: 1 out of 8 text messages
/sbin/dump: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "
/sbin/restore: zlib inflate table, little endian
/sbin/restore: 8 out of 8 text messages
/sbin/restore: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "

pool/main/g/gcc-3.0/fastjar_3.0.4-3_i386.deb
/usr/bin/fastjar: zlib configuration table, little endian, 32 bit
/usr/bin/fastjar: zlib inflate table, little endian
/usr/bin/fastjar: 8 out of 8 text messages
/usr/bin/fastjar: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/bin/fastjar: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "
/usr/bin/grepjar: zlib configuration table, little endian, 32 bit
/usr/bin/grepjar: zlib inflate table, little endian
/usr/bin/grepjar: 8 out of 8 text messages
/usr/bin/grepjar: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/bin/grepjar: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "

pool/main/f/fpc/fp-units-misc_1.0.4-2_i386.deb
/usr/lib/fpc/1.0.4/units/linux/paszlib/libzbase.a: 1 out of 8 text messages
/usr/lib/fpc/1.0.4/units/linux/paszlib/zbase.o: 1 out of 8 text messages
/usr/lib/fpc/1.0.4/units/linux/paszlib/libzinflate.a: 5 out of 8 text messages
/usr/lib/fpc/1.0.4/units/linux/paszlib/zinflate.o: 5 out of 8 text messages
/usr/lib/fpc/1.0.4/units/linux/paszlib/libzdeflate.a: zlib configuration table, little endian, 32 bit
/usr/lib/fpc/1.0.4/units/linux/paszlib/libzdeflate.a: deflate version: "1.1.2 Copyright 1995-1998 Jean-loup Gailly                                                                                                                                                                                                            "
/usr/lib/fpc/1.0.4/units/linux/paszlib/zdeflate.o: zlib configuration table, little endian, 32 bit
/usr/lib/fpc/1.0.4/units/linux/paszlib/zdeflate.o: deflate version: "1.1.2 Copyright 1995-1998 Jean-loup Gailly                                                                                                                                                                                                            "
/usr/lib/fpc/1.0.4/units/linux/paszlib/libinftrees.a: zlib inflate table, little endian
/usr/lib/fpc/1.0.4/units/linux/paszlib/inftrees.o: zlib inflate table, little endian
/usr/lib/fpc/1.0.4/units/linux/paszlib/libinfblock.a: 3 out of 8 text messages
/usr/lib/fpc/1.0.4/units/linux/paszlib/infblock.o: 3 out of 8 text messages

pool/main/g/gcvs/gcvs_1.0a7-2_i386.deb
/usr/lib/gcvs/bin/cvs: zlib configuration table, little endian, 32 bit
/usr/lib/gcvs/bin/cvs: zlib inflate table, little endian
/usr/lib/gcvs/bin/cvs: 8 out of 8 text messages
/usr/lib/gcvs/bin/cvs: inflate version: "1.0.4 Copyright 1995-1996 Mark Adler "
/usr/lib/gcvs/bin/cvs: deflate version: "1.0.4 Copyright 1995-1996 Jean-loup Gailly "

pool/main/k/kbackup/kbackup_1.2.11-10_all.deb
/usr/lib/kbackup/verify_src: 1 out of 8 text messages

pool/main/liba/libax25/libax25_0.0.9-2_i386.deb
/usr/lib/libax25.so.0.0.0: 1 out of 8 text messages

pool/main/liba/libax25/libax25-dev_0.0.9-2_i386.deb
/usr/lib/libax25.a: 1 out of 8 text messages

pool/main/q/qt-embedded/libqt-emb-dev_2.3.2-2_i386.deb
/usr/lib/libqte.a: zlib configuration table, little endian, 32 bit
/usr/lib/libqte.a: zlib inflate table, little endian
/usr/lib/libqte.a: 8 out of 8 text messages
/usr/lib/libqte.a: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/lib/libqte.a: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "
pool/main/l/lzop/lzop_1.00-4_i386.deb
/bin/lzop: 1 out of 8 text messages

pool/main/m/mirrordir/mirrordir_0.10.49-7.2_i386.deb
/usr/lib/libmirrordirz.so.1.0.0: zlib configuration table, little endian, 32 bit
/usr/lib/libmirrordirz.so.1.0.0: zlib inflate table, little endian
/usr/lib/libmirrordirz.so.1.0.0: 8 out of 8 text messages
/usr/lib/libmirrordirz.so.1.0.0: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/lib/libmirrordirz.so.1.0.0: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "

pool/main/p/plucker/plucker_1.1.14-2_all.deb
/usr/share/plucker/palm/SysZLib.prc: 8 out of 8 text messages
/usr/share/plucker/palm/SysZLib.prc: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/share/plucker/palm/SysZLib.prc: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "

pool/main/p/ppp/ppp_2.4.1.uus-4_i386.deb
/usr/sbin/pppdump: zlib inflate table, little endian
/usr/sbin/pppdump: 7 out of 8 text messages

pool/main/r/rsync/rsync_2.5.2-0.1_i386.deb
/usr/bin/rsync: zlib configuration table, little endian, 32 bit
/usr/bin/rsync: zlib inflate table, little endian
/usr/bin/rsync: 8 out of 8 text messages
/usr/bin/rsync: inflate version: "1.1.2 Copyright 1995-1998 Mark Adler "
/usr/bin/rsync: deflate version: "1.1.2 Copyright 1995-1998 Jean-loup Gailly "

pool/main/s/sash/sash_3.4-8.1_i386.deb
/bin/sash: zlib configuration table, little endian, 32 bit
/bin/sash: zlib inflate table, little endian
/bin/sash: 8 out of 8 text messages
/bin/sash: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/bin/sash: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "

pool/main/u/user-mode-linux/user-mode-linux_2.4.18.2um-1_i386.deb
/usr/bin/linux: zlib inflate table, little endian
/usr/bin/linux: 8 out of 8 text messages
/usr/bin/linux: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/lib/uml/modules/2.4.18-2um/kernel/drivers/net/ppp_deflate.o: zlib configuration table, little endian, 32 bit
/usr/lib/uml/modules/2.4.18-2um/kernel/drivers/net/ppp_deflate.o: zlib inflate table, little endian
/usr/lib/uml/modules/2.4.18-2um/kernel/drivers/net/ppp_deflate.o: 8 out of 8 text messages
/usr/lib/uml/modules/2.4.18-2um/kernel/drivers/net/ppp_deflate.o: inflate version: "1.0.4 Copyright 1995-1996 Mark Adler "
/usr/lib/uml/modules/2.4.18-2um/kernel/drivers/net/ppp_deflate.o: deflate version: "1.0.4 Copyright 1995-1996 Jean-loup Gailly "

pool/main/v/vreng/vreng_3.4.0-3_i386.deb
/usr/bin/vreng: zlib inflate table, little endian
/usr/bin/vreng: 8 out of 8 text messages
/usr/bin/vreng: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "

pool/main/v/vrweb/vrweb_1.5-8_i386.deb
/usr/bin/vrweb: 1 out of 8 text messages

pool/non-US/main/e/erlang/erlang_8.0-4_i386.deb
/usr/lib/erlang/erts-5.1/bin/beam: zlib configuration table, little endian, 32 bit
/usr/lib/erlang/erts-5.1/bin/beam: zlib inflate table, little endian
/usr/lib/erlang/erts-5.1/bin/beam: 8 out of 8 text messages
/usr/lib/erlang/erts-5.1/bin/beam: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/lib/erlang/erts-5.1/bin/beam: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "
/usr/lib/erlang/erts-5.1/bin/beam.instr: zlib configuration table, little endian, 32 bit
/usr/lib/erlang/erts-5.1/bin/beam.instr: zlib inflate table, little endian
/usr/lib/erlang/erts-5.1/bin/beam.instr: 8 out of 8 text messages
/usr/lib/erlang/erts-5.1/bin/beam.instr: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/lib/erlang/erts-5.1/bin/beam.instr: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "

pool/non-US/main/f/freeswan/freeswan_1.95-3_i386.deb
/usr/src/kernel-patches/all/freeswan/zlib/deflate.c: deflate version: "1.1.3 Copyright 1995-1998 Jean-loup Gailly "
/usr/src/kernel-patches/all/freeswan/zlib/infblock.c: 3 out of 8 text messages
/usr/src/kernel-patches/all/freeswan/zlib/inflate.c: 5 out of 8 text messages
/usr/src/kernel-patches/all/freeswan/zlib/inftrees.c: inflate version: "1.1.3 Copyright 1995-1998 Mark Adler "
/usr/src/kernel-patches/all/freeswan/zlib/zutil.c: 1 out of 8 text messages

pool/non-US/main/u/unzip/unzip_5.50-0_i386.deb
/usr/bin/unzip: 1 out of 8 text messages
/usr/bin/unzipsfx: 1 out of 8 text messages

pool/non-US/main/z/zip/zip_2.30-4_i386.deb
/usr/bin/zipinfo: 1 out of 8 text messages
/usr/bin/zip: 1 out of 8 text messages

-- 
 - mdz
Reply to: