| Name | CVE-2005-2096 |
| Description | zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-1026-1, DSA-740-1, DSA-797-1, DSA-797-2 |
| Debian Bugs | 309196, 317133, 317523, 317966, 317967, 317968, 317970, 317971, 318014, 318069, 318091, 318097, 318099, 318100, 318246, 319858, 332236 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| aide (PTS) | jessie, jessie (lts) | 0.16~a2.git20130520-3+deb8u1 | fixed |
| stretch (security), stretch (lts), stretch | 0.16-1+deb9u1 | fixed |
| buster, buster (security) | 0.16.1-1+deb10u1 | fixed |
| bullseye | 0.17.3-4+deb11u2 | fixed |
| bullseye (security) | 0.17.3-4+deb11u1 | fixed |
| bookworm | 0.18.3-1+deb12u2 | fixed |
| sid, trixie | 0.18.6-2 | fixed |
| bacula (PTS) | jessie | 5.2.6+dfsg-9.3 | fixed |
| stretch (security), stretch (lts), stretch | 7.4.4+dfsg-6+deb9u2 | fixed |
| buster | 9.4.2-2+deb10u1 | fixed |
| bullseye | 9.6.7-3 | fixed |
| bookworm | 9.6.7-7 | fixed |
| sid, trixie | 13.0.4-1 | fixed |
| dar (PTS) | jessie | 2.4.15-1 | fixed |
| stretch | 2.5.8-3 | fixed |
| buster | 2.6.2-1 | fixed |
| bullseye | 2.6.13-2 | fixed |
| bookworm | 2.7.8-2 | fixed |
| trixie | 2.7.13-2 | fixed |
| sid | 2.7.14-1 | fixed |
| dpkg (PTS) | jessie, jessie (lts) | 1.17.28 | fixed |
| stretch (security), stretch (lts), stretch | 1.18.26 | fixed |
| buster, buster (security) | 1.19.8 | fixed |
| bullseye | 1.20.13 | fixed |
| bullseye (security) | 1.20.10 | fixed |
| bookworm | 1.21.22 | fixed |
| sid, trixie | 1.22.6 | fixed |
| dump (PTS) | jessie | 0.4b44-5 | fixed |
| stretch | 0.4b46-3 | fixed |
| buster | 0.4b46-5 | fixed |
| bullseye | 0.4b46-8 | fixed |
| sid, trixie, bookworm | 0.4b47-4 | fixed |
| libphysfs (PTS) | jessie | 2.0.3-2 | fixed |
| stretch | 2.0.3-5 | fixed |
| buster | 3.0.1-3.1 | fixed |
| bullseye | 3.0.2-5 | fixed |
| sid, trixie, bookworm | 3.0.2-6 | fixed |
| mrtg (PTS) | jessie | 2.17.4-2 | fixed |
| stretch | 2.17.4-4 | fixed |
| buster | 2.17.7-1 | fixed |
| bullseye | 2.17.7-2+deb11u1 | fixed |
| bookworm | 2.17.10-5+deb12u2 | fixed |
| sid, trixie | 2.17.10-12 | fixed |
| pvpgn (PTS) | jessie/contrib | 1.8.5-2 | fixed |
| stretch/contrib, buster/contrib, bullseye/contrib | 1.8.5-2.1 | fixed |
| sid/contrib, bookworm/contrib | 1.8.5-3 | fixed |
| rpm (PTS) | jessie | 4.11.3-1.1 | fixed |
| stretch | 4.12.0.2+dfsg1-2 | fixed |
| buster | 4.14.2.1+dfsg1-1 | fixed |
| bullseye | 4.16.1.2+dfsg1-3 | fixed |
| bookworm | 4.18.0+dfsg-1+deb12u1 | fixed |
| trixie | 4.18.2+dfsg-2 | fixed |
| sid | 4.18.2+dfsg-2.1 | fixed |
| rsync (PTS) | jessie, jessie (lts) | 3.1.1-3+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 3.1.2-1+deb9u3 | fixed |
| buster | 3.1.3-6 | fixed |
| bullseye | 3.2.3-4+deb11u1 | fixed |
| trixie, bookworm | 3.2.7-1 | fixed |
| sid | 3.3.0-1 | fixed |
| sash (PTS) | jessie, stretch | 3.8-3 | fixed |
| sid, buster, bullseye, trixie, bookworm | 3.8-5 | fixed |
| zlib (PTS) | jessie, jessie (lts) | 1:1.2.8.dfsg-2+deb8u3 | fixed |
| stretch (security) | 1:1.2.8.dfsg-5+deb9u1 | fixed |
| stretch (lts), stretch | 1:1.2.8.dfsg-5+deb9u2 | fixed |
| buster | 1:1.2.11.dfsg-1+deb10u1 | fixed |
| buster (security) | 1:1.2.11.dfsg-1+deb10u2 | fixed |
| bullseye (security), bullseye | 1:1.2.11.dfsg-2+deb11u2 | fixed |
| bookworm | 1:1.2.13.dfsg-1 | fixed |
| trixie | 1:1.3.dfsg-3 | fixed |
| sid | 1:1.3.dfsg-3.1 | fixed |
| zsync (PTS) | jessie | 0.6.2-1 | fixed |
| stretch | 0.6.2-2 | fixed |
| buster, bullseye | 0.6.2-3 | fixed |
| sid, trixie, bookworm | 0.6.2-5 | fixed |
The information below is based on the following data on fixed versions.
Notes
Several packages ship embedded copies of zlib, there are a lot probably more
Florian Weimer is doing a comprehensive audit using clamav
to search for static zlib signatures in binaries in Debian
Not all of the listed packages have been checked for actual
exploitability using this hole.
oldstable (woody) had zlib 1.1, which is not affected
[woody] - dpkg <not-affected> (Woody contains zlib 1.1, which is not affected)
You need to trust debs anyway, when installing them
[woody] - dump <not-affected> (Woody contains zlib 1.1, which is not affected)
[sarge] - dump <no-dsa> (Backups do not contain untrusted data)
[woody] - aide <not-affected> (Woody contains zlib 1.1, which is not affected)
aide only uses zlib to compress/decompress internal data
[woody] - amd64-libs <not-affected> (Woody contains zlib 1.1, which is not affected)
[woody] - ia32-libs <not-affected> (Woody contains zlib 1.1, which is not affected)
- dar <not-affected> (zlib not used on unstrusted input, see #317989)
[woody] - bacula <not-affected> (Woody contains zlib 1.1, which is not affected)
[sarge] - bacula <no-dsa> (Backups do not contain untrusted data)
[woody] - sash <not-affected> (Woody contains zlib 1.1, which is not affected)
[woody] - libphysfs <not-affected> (Woody contains zlib 1.1, which is not affected)
[woody] - rpm <not-affected> (Woody contains zlib 1.1, which is not affected)
You need to trust rpms anyway, when installing them
- systemimager-ssh <not-affected> (bug #318101; unimportant)
see dannf's first bug comment; systemimager-ssh doesn't use compression
[woody] - texmacs <not-affected> (Woody contains zlib 1.1, which is not affected)
[sarge] - texmacs <no-dsa> (Hardly exploitable)
- mrtg <not-affected> (Only used for internal compression, current versions link dynamically)
- rsync <not-affected> (Uses zlib 1.1, which is not affected)
rsync upstream updated the internal zlib copy in 2.6.6 without real need,
as the included version was never affected, despite claiming them so.