CERT/CC Vulnerability Note VU#238678 (original) (raw)
Overview
Un-handled error conditions in the zlib compression library may allow an attacker to cause a denial-of-service condition.
Description
There is a vulnerability in the error handling mechanisms of the decompression functions in the zlib compression library. The decompression functions inflate() and inflateBack() fail to handle certain error conditions properly. If an un-handled error condition is raised, the application linked to zlib may abruptly and abnormally terminate. This vulnerability may be exploited locally or remotely depending on the application being attacked.
This issue exists in zlib versions 1.2.0.x and 1.2.x, other versions are not vulnerable.
Impact
A malicious user may be able to intentionally raise an un-handled error condition by supplying the vulnerable functions with specially crafted compressed data. As a result, applications linked to the zlib library may abruptly and abnormally terminate resulting in a denial-of-service condition.
Solution
Check with Vendor
Users who suspect they are vulnerable are encouraged to check with their vendor to determine the appropriate action to take. Please see the list of vendors we have notified below.
Vendor Information
Filter by content: Additional information available
Sort by:
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported by OpenPKG.We thank Mark Adler for providing information about this vulnerability.
This document was written by Jeff Gennari.
Other Information
| CVE IDs: | CVE-2004-0797 |
|---|---|
| Severity Metric: | 0.66 |
| Date Public: | 2004-08-25 |
| Date First Published: | 2004-10-01 |
| Date Last Updated: | 2005-10-05 20:04 UTC |
| Document Revision: | 338 |