From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 1AD92158AC9 for ; Mon, 15 Jan 2024 12:05:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 62888E2A7A; Mon, 15 Jan 2024 12:04:56 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DEC8CE2A69 for ; Mon, 15 Jan 2024 12:04:30 +0000 (UTC) Received: from glsamakerdev.dev.gentoo.org (unknown [140.211.166.165]) by smtp.gentoo.org (Postfix) with ESMTP id 066F5343260 for ; Mon, 15 Jan 2024 12:04:30 +0000 (UTC) Received: from [172.18.0.3] (unknown [172.18.0.3]) by glsamakerdev.dev.gentoo.org (Postfix) with ESMTP id C1BCDA8174 for ; Mon, 15 Jan 2024 12:04:29 +0000 (UTC) Subject: [gentoo-announce] [ GLSA 202401-18 ] zlib: Buffer Overflow Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha512"; boundary="===============3503363895252375305==" From: glsamaker@gentoo.org To: gentoo-announce@lists.gentoo.org Reply-To: security@gentoo.org Date: Mon, 15 Jan 2024 12:04:29 -0000 Message-ID: <170532026978.7.75389934020741495@4a99fbfff9eb> X-Archives-Salt: 67b2630a-7c6e-436a-b56d-d4ff23585e09 X-Archives-Hash: 8ebc3830f08980cfafa83eb1af281a2c --===============3503363895252375305== Content-Type: text/plain; charset="utf-8" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202401-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: zlib: Buffer Overflow Date: January 15, 2024 Bugs: #916484 ID: 202401-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== A vulnerability has been found in zlib that can lead to a heap-based buffer overflow. Background ========== zlib is a widely used free and patent unencumbered data compression library. Affected packages ================= Package Vulnerable Unaffected ------------- ------------ ------------ sys-libs/zlib < 1.2.13-r2 >= 1.2.13-r2 Description =========== A vulnerability has been discovered in zlib. Please review the CVE identifier referenced below for details. Impact ====== MiniZip in zlib through 1.3 has an integer overflow and resultant heap- based buffer overflow in ZipOpenNewFileInZip4_64 via a long filename, comment, or extra field. Workaround ========== There is no known workaround at this time. Resolution ========== All zlib users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-libs/zlib-1.2.13-r2" References ========== [ 1 ] CVE-2023-45853 https://nvd.nist.gov/vuln/detail/CVE-2023-45853 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202401-18 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 --===============3503363895252375305== Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEpqTA6ABLMxh/aChGFMQkOaVy+9kFAmWlH00ACgkQFMQkOaVy +9lkKg//fxaArvRLmO6jlpLrcaPm2OxRCB91/G8O9Q10/hUvaH6Ln2lU4akCszLv l0cLmwlQttoAaDIMPQoeB8Yp3aQa/HErtjzo7//mXYTxe+RWF/qw3f6/x+cg+EIi yygRTNc1Qn2wBAfPFHeqBEK+0AAp86ppjJcFmzY9bSY7TKhmMD+tZSK2F5HP22VL 7WGjbFBrZIX2iwh1rL/hcBQiE1AgcGsSYMRfA78AA9W/v0wmLYqgkAgfI0X7GOCE Zl1pCZbRSVn2JhVFlTf/XCjD/8CveYaLYmEktruVFp6A2q4SdcPe473EJ0ICnZzr DrD2w974lADOWcYl8zX8ddAgFY1ml/1v2zRO2kSJx5bfxsBIQ7GR7hrAxSXGVuLN U3m1XnA5+Q27dPFBVWZ2dnucRVxpzWlm8/G7j/G/1rVQRa8JrwEjqRpc8kSPHYru POC5mso+lCyFwY/Vi7SaN3JOuEpa8RGDj1JgtF8DWIxqgamm4TYkj0Z8VUBLp4c6 OWOEMJ/dFKME3ebDDGpbsHKlPiVQb8st5TQB1SguohjexDbOUV9ZIz4pXoRT0jCT OglA/srcZhFXoJlEkJhfxTd3QDWzc/0EGrZufLK9nYdW3jNZMh2mBGe21F1nycNy Cd1AXjKTroB+0nlPOP/QERqR6Tes5BjQ0d6xYrd+ETif/bEw0iQ= =ZvNu -----END PGP SIGNATURE----- --===============3503363895252375305==--