CVE-2005-2096

NameCVE-2005-2096
Descriptionzlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-1026-1, DSA-740-1, DSA-797-1, DSA-797-2
Debian Bugs309196, 317133, 317523, 317966, 317967, 317968, 317970, 317971, 318014, 318069, 318091, 318097, 318099, 318100, 318246, 319858, 332236

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
aide (PTS)jessie, jessie (lts)0.16~a2.git20130520-3+deb8u1fixed
stretch (security), stretch (lts), stretch0.16-1+deb9u1fixed
buster (security), buster, buster (lts)0.16.1-1+deb10u1fixed
bullseye0.17.3-4+deb11u2fixed
bullseye (security)0.17.3-4+deb11u1fixed
bookworm0.18.3-1+deb12u3fixed
sid, trixie0.18.8-1fixed
bacula (PTS)jessie5.2.6+dfsg-9.3fixed
stretch (security), stretch (lts), stretch7.4.4+dfsg-6+deb9u2fixed
buster9.4.2-2+deb10u1fixed
bullseye9.6.7-3fixed
bookworm9.6.7-7fixed
trixie13.0.4-3fixed
sid13.0.4-4fixed
dar (PTS)jessie2.4.15-1fixed
stretch2.5.8-3fixed
buster2.6.2-1fixed
bullseye2.6.13-2fixed
bookworm2.7.8-2fixed
sid, trixie2.7.15-2fixed
dpkg (PTS)jessie, jessie (lts)1.17.28fixed
stretch (security), stretch (lts), stretch1.18.26fixed
buster (security), buster, buster (lts)1.19.8fixed
bullseye1.20.13fixed
bullseye (security)1.20.10fixed
bookworm1.21.22fixed
sid, trixie1.22.11fixed
dump (PTS)jessie0.4b44-5fixed
stretch0.4b46-3fixed
buster0.4b46-5fixed
bullseye0.4b46-8fixed
bookworm0.4b47-4fixed
sid, trixie0.4b47-6fixed
libphysfs (PTS)jessie2.0.3-2fixed
stretch2.0.3-5fixed
buster3.0.1-3.1fixed
bullseye3.0.2-5fixed
sid, trixie, bookworm3.0.2-6fixed
mrtg (PTS)jessie2.17.4-2fixed
stretch2.17.4-4fixed
buster2.17.7-1fixed
bullseye2.17.7-2+deb11u1fixed
bookworm2.17.10-5+deb12u2fixed
sid, trixie2.17.10-12fixed
pvpgn (PTS)jessie/contrib1.8.5-2fixed
stretch/contrib, buster/contrib, bullseye/contrib1.8.5-2.1fixed
sid/contrib, bookworm/contrib1.8.5-3fixed
rpm (PTS)jessie4.11.3-1.1fixed
stretch4.12.0.2+dfsg1-2fixed
buster4.14.2.1+dfsg1-1fixed
bullseye4.16.1.2+dfsg1-3fixed
bookworm4.18.0+dfsg-1+deb12u1fixed
sid, trixie4.20.0+dfsg-3fixed
rsync (PTS)jessie, jessie (lts)3.1.1-3+deb8u2fixed
stretch (security), stretch (lts), stretch3.1.2-1+deb9u3fixed
buster3.1.3-6fixed
bullseye3.2.3-4+deb11u1fixed
bookworm3.2.7-1fixed
sid, trixie3.3.0-1fixed
sash (PTS)jessie, stretch3.8-3fixed
buster, bullseye, bookworm3.8-5fixed
sid, trixie3.8-6fixed
texmacs (PTS)sid, trixie1:2.1.4+ds-3fixed
zlib (PTS)jessie, jessie (lts)1:1.2.8.dfsg-2+deb8u3fixed
stretch (security)1:1.2.8.dfsg-5+deb9u1fixed
stretch (lts), stretch1:1.2.8.dfsg-5+deb9u2fixed
buster (security), buster, buster (lts)1:1.2.11.dfsg-1+deb10u2fixed
bullseye (security), bullseye1:1.2.11.dfsg-2+deb11u2fixed
bookworm1:1.2.13.dfsg-1fixed
sid, trixie1:1.3.dfsg+really1.3.1-1fixed
zsync (PTS)jessie0.6.2-1fixed
stretch0.6.2-2fixed
buster, bullseye0.6.2-3fixed
bookworm0.6.2-5fixed
sid, trixie0.6.2-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aidesourcewoody(not affected)
aidesource(unstable)0.10-6.1.1unimportant317523
amd64-libssourcewoody(not affected)
amd64-libssource(unstable)1.3medium317970
baculasourcewoody(not affected)
baculasource(unstable)1.36.3-2medium318014
darsource(unstable)(not affected)
dpkgsourcewoody(not affected)
dpkgsource(unstable)1.13.11unimportant317967
dumpsourcewoody(not affected)
dumpsource(unstable)0.4b40-1low317966
ia32-libssourcewoody(not affected)
ia32-libssource(unstable)1.6medium317971
libphysfssourcewoody(not affected)
libphysfssource(unstable)1.0.0-5unimportant318091
mrtgsource(unstable)(not affected)
mysql-dfsg-4.1source(unstable)4.1.13-1unimportant319858
oopssource(unstable)1.5.23.cvs-3medium318097
pvpgnsource(unstable)1.7.8-2332236
rageircdsource(unstable)2.0.0-3sid1medium309196
rpmsourcewoody(not affected)
rpmsource(unstable)4.0.4-31.1unimportant318099
rsyncsource(unstable)(not affected)
sashsourcewoody(not affected)
sashsourcesarge3.7-5sarge1DSA-1026-1
sashsource(unstable)3.7-6medium318069, 318246
systemimager-sshsource(unstable)(not affected)
texmacssourcewoody(not affected)
texmacssource(unstable)1:1.0.5-3medium318100
zlibsourcewoody(not affected)DSA-740-1
zlibsourcesarge1:1.2.2-4.sarge.1mediumDSA-740-1
zlibsource(unstable)1:1.2.2-7medium317133
zsyncsourcesarge0.3.3-1.sarge.1mediumDSA-797-1
zsyncsource(unstable)0.4.0-2medium317968

Notes

Several packages ship embedded copies of zlib, there are a lot probably more
Florian Weimer is doing a comprehensive audit using clamav
to search for static zlib signatures in binaries in Debian
Not all of the listed packages have been checked for actual
exploitability using this hole.
oldstable (woody) had zlib 1.1, which is not affected
[woody] - dpkg <not-affected> (Woody contains zlib 1.1, which is not affected)
You need to trust debs anyway, when installing them
[woody] - dump <not-affected> (Woody contains zlib 1.1, which is not affected)
[sarge] - dump <no-dsa> (Backups do not contain untrusted data)
[woody] - aide <not-affected> (Woody contains zlib 1.1, which is not affected)
aide only uses zlib to compress/decompress internal data
[woody] - amd64-libs <not-affected> (Woody contains zlib 1.1, which is not affected)
[woody] - ia32-libs <not-affected> (Woody contains zlib 1.1, which is not affected)
- dar <not-affected> (zlib not used on unstrusted input, see #317989)
[woody] - bacula <not-affected> (Woody contains zlib 1.1, which is not affected)
[sarge] - bacula <no-dsa> (Backups do not contain untrusted data)
[woody] - sash <not-affected> (Woody contains zlib 1.1, which is not affected)
[woody] - libphysfs <not-affected> (Woody contains zlib 1.1, which is not affected)
[woody] - rpm <not-affected> (Woody contains zlib 1.1, which is not affected)
You need to trust rpms anyway, when installing them
- systemimager-ssh <not-affected> (bug #318101; unimportant)
see dannf's first bug comment; systemimager-ssh doesn't use compression
[woody] - texmacs <not-affected> (Woody contains zlib 1.1, which is not affected)
[sarge] - texmacs <no-dsa> (Hardly exploitable)
- mrtg <not-affected> (Only used for internal compression, current versions link dynamically)
- rsync <not-affected> (Uses zlib 1.1, which is not affected)
rsync upstream updated the internal zlib copy in 2.6.6 without real need,
as the included version was never affected, despite claiming them so.
Search for package or bug name: Reporting problems