Note: This is an archival copy of Security Sun Alert 200550 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000418.1. |
Category Security Release Phase Resolved Solaris 9 Operating System Solaris 8 Operating System Bug Id 4822658 Date of Resolved Release 22-OCT-2003 Impact Applications which are linked with "zlib" and utilize the gzprintf() function may be susceptible to a security vulnerability which could result in a denial of service, information leakage, or execution of arbitrary code due to a buffer overflow in the "zlib" gzprintf() function. Sun does not distribute any applications with the Solaris Operating Environment which are linked with "zlib" and call gzprintf(). A large number of free applications and libraries have been identified as using "zlib" at http://www.gzip.org/zlib/apps.html. Some of this freeware is distributed on the Solaris Software Companion CDs but none is known to be vulnerable to this issue at this time. This issue is described in CERT Vulnerability VU#142121 (see http://www.kb.cert.org/vuls/id/142121). Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
Note 1: libz is not distributed with Solaris 7 or earlier releases. Note 2: For a short period, patches 115754-01 and 115755-01 were available that purported to address this issue. However, this was not the case and 115754-02 and 115755-02 are required to address this issue as shown above. Symptoms There are no predictable symptoms that would show the described issue has been exploited. Workaround There is no workaround. Please see the "Resolution" section below. Resolution This issue is addressed in the following releases: SPARC Platform
x86 Platform
Modification History References112611-02112612-02 115754-02 115755-02 Attachments This solution has no attachment |
|