CVE-2005-2096

NameCVE-2005-2096
Descriptionzlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-1026-1, DSA-740-1, DSA-797-1, DSA-797-2
NVD severityhigh (attack range: remote)
Debian Bugs309196, 317133, 317523, 317966, 317967, 317968, 317970, 317971, 318014, 318069, 318091, 318097, 318099, 318100, 318246, 319858, 332236
Debian/oldoldstablenot vulnerable.
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
aide (PTS)squeeze0.15.1-2+squeeze1fixed
wheezy0.15.1-8fixed
stretch, sid, jessie0.16~a2.git20130520-3fixed
amd64-libs (PTS)squeeze1.4+nmu1fixed
bacula (PTS)squeeze, squeeze (security)5.0.2-2.2+squeeze1fixed
wheezy5.2.6+dfsg-9fixed
stretch, sid, jessie5.2.6+dfsg-9.3fixed
dar (PTS)squeeze2.3.10-1fixed
wheezy2.4.5.debian.1-1fixed
stretch, sid, jessie2.4.15-1fixed
dpkg (PTS)squeeze, squeeze (security)1.15.11fixed
wheezy1.16.15fixed
wheezy (security)1.16.16fixed
stretch, sid, jessie1.17.25fixed
dump (PTS)squeeze0.4b43-1fixed
wheezy0.4b44-1fixed
stretch, jessie0.4b44-5fixed
sid0.4b44-7fixed
ia32-libs (PTS)squeeze20140630fixed
squeeze (lts)20150413fixed
wheezy1:0.4fixed
libphysfs (PTS)squeeze2.0.1-2fixed
wheezy2.0.2-6fixed
stretch, sid, jessie2.0.3-2fixed
mrtg (PTS)squeeze2.16.3-3fixed
stretch, sid, jessie, wheezy2.17.4-2fixed
pvpgn (PTS)squeeze/contrib1.8.1-2fixed
wheezy/contrib1.8.1-2.1fixed
sid/contrib, stretch/contrib, jessie/contrib1.8.5-2fixed
rpm (PTS)squeeze4.8.1-6+squeeze1fixed
squeeze (lts)4.8.1-6+squeeze2fixed
wheezy4.10.0-5+deb7u1fixed
wheezy (security)4.10.0-5+deb7u2fixed
stretch, sid, jessie4.11.3-1.1fixed
rsync (PTS)squeeze3.0.7-2fixed
wheezy3.0.9-4fixed
stretch, sid, jessie3.1.1-3fixed
sash (PTS)squeeze3.7-10fixed
wheezy3.7-12fixed
stretch, sid, jessie3.8-3fixed
texmacs (PTS)squeeze1:1.0.7.4-3.1fixed
wheezy1:1.0.7.15-2fixed
sid1:1.0.7.18-1fixed
zlib (PTS)squeeze1:1.2.3.4.dfsg-3fixed
wheezy1:1.2.7.dfsg-13fixed
stretch, sid, jessie1:1.2.8.dfsg-2fixed
zsync (PTS)squeeze0.6.1-3fixed
stretch, sid, jessie, wheezy0.6.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aidesource(unstable)0.10-6.1.1unimportant317523
aidesourcewoody(not affected)
amd64-libssource(unstable)1.3medium317970
amd64-libssourcewoody(not affected)
baculasource(unstable)1.36.3-2medium318014
baculasourcewoody(not affected)
darsource(unstable)(not affected)
dpkgsource(unstable)1.13.11unimportant317967
dpkgsourcewoody(not affected)
dumpsource(unstable)0.4b40-1low317966
dumpsourcewoody(not affected)
ia32-libssource(unstable)1.6medium317971
ia32-libssourcewoody(not affected)
libphysfssource(unstable)1.0.0-5unimportant318091
libphysfssourcewoody(not affected)
mrtgsource(unstable)(not affected)
mysql-dfsg-4.1source(unstable)4.1.13-1unimportant319858
oopssource(unstable)1.5.23.cvs-3medium318097
pvpgnsource(unstable)1.7.8-2high332236
rageircdsource(unstable)2.0.0-3sid1medium309196
rpmsource(unstable)4.0.4-31.1unimportant318099
rpmsourcewoody(not affected)
rsyncsource(unstable)(not affected)
sashsource(unstable)3.7-6medium318069, 318246
sashsourcesarge3.7-5sarge1highDSA-1026-1
sashsourcewoody(not affected)
systemimager-sshsource(unstable)(not affected)
texmacssource(unstable)1:1.0.5-3medium318100
texmacssourcewoody(not affected)
zlibsource(unstable)1:1.2.2-7medium317133
zlibsourcesarge1:1.2.2-4.sarge.1mediumDSA-740-1
zlibsourcewoody(not affected)DSA-740-1
zsyncsource(unstable)0.4.0-2medium317968
zsyncsourcesarge0.3.3-1.sarge.1mediumDSA-797-1

Notes

Several packages ship embedded copies of zlib, there are a lot probably more
Florian Weimer is doing a comprehensive audit using clamav
to search for static zlib signatures in binaries in Debian
Not all of the listed packages have been checked for actual
exploitability using this hole.
oldstable (woody) had zlib 1.1, which is not affected
[woody] - dpkg <not-affected> (Woody contains zlib 1.1, which is not affected)
You need to trust debs anyway, when installing them
[woody] - dump <not-affected> (Woody contains zlib 1.1, which is not affected)
[sarge] - dump <no-dsa> (Backups do not contain untrusted data)
[woody] - aide <not-affected> (Woody contains zlib 1.1, which is not affected)
aide only uses zlib to compress/decompress internal data
[woody] - amd64-libs <not-affected> (Woody contains zlib 1.1, which is not affected)
[woody] - ia32-libs <not-affected> (Woody contains zlib 1.1, which is not affected)
- dar <not-affected> (zlib not used on unstrusted input, see #317989)
[woody] - bacula <not-affected> (Woody contains zlib 1.1, which is not affected)
[sarge] - bacula <no-dsa> (Backups do not contain untrusted data)
[woody] - sash <not-affected> (Woody contains zlib 1.1, which is not affected)
[woody] - libphysfs <not-affected> (Woody contains zlib 1.1, which is not affected)
[woody] - rpm <not-affected> (Woody contains zlib 1.1, which is not affected)
You need to trust rpms anyway, when installing them
- systemimager-ssh <not-affected> (bug #318101; unimportant)
see dannf's first bug comment; systemimager-ssh doesn't use compression
[woody] - texmacs <not-affected> (Woody contains zlib 1.1, which is not affected)
[sarge] - texmacs <no-dsa> (Hardly exploitable)
- mrtg <not-affected> (Only used for internal compression, current versions link dynamically)
- rsync <not-affected> (Uses zlib 1.1, which is not affected)
rsync upstream updated the internal zlib copy in 2.6.6 without real need,
as the included version was never affected, despite claiming them so.

Search for package or bug name: Reporting problems