Bug 504386 (CVE-2009-1391)
Summary: | CVE-2009-1391 Buffer overflow in Compress::Raw::Zlib | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Leo Bergolth <leo> | ||||
Component: | perl | Assignee: | Marcela Mašláňová <mmaslano> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 10 | CC: | kasal, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | Flags: | kevin:
fedora-cvs+
|
||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 5.10.0-69.fc11 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-06-11 08:42:09 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Leo Bergolth
2009-06-05 23:14:12 UTC
Thank you for your investigation. In Fedora will be updated version of Compress::Raw::Zlib. I suppose you have perl-Compress-Raw-Zlib from different source than RHEL or EPEL. I see it in EPEL-4 as a package and then as a part of perl-5.10 in Fedora. OK, sorry, the package on my RHEL5 box is from rpmfusion. So RHEL5 doesn't seem to provide perl-Compress-Raw-Zlib at all... Updates will be done for F-10, F-11 and rawhide perl. For the EPEL will be updated EPEL-4 and 5 for package perl-Compress-Raw-Zlib. Even though there seem to be a directory in CVS for the package in EPEL-4, it does not seem to be included in either EPEL-4 or EPEL-5 on download FTPs. Module seems to be part of perl SRPM as of F-9. Package Change Request ====================== Package Name: perl-Compress-Raw-Zlib New Branches: EL-5 Owners: kasal mmaslano Please branch from devel -D 2008-02-25 . (Or from F-8 branch if that's easier.) Just a sanity self-check - this should only be an issue when inflated output size is exactly the same size as the output buffer (initial size is -Bufsize or 4096 by default, doubles in size on each buffer grow). This problem exists because Compress::Raw::Zlib's inflate NUL-terminates the output buffer (*SvEND(output) = '\0';), even it may not have enough space. So this should be heap off-by-one, unless I'm missing something. Do I have it right? This corresponds to my interpretation of the source code. Archive::Zip which is used by amavisd-new uses a default ChunkSize of 32768. That's why it hangs when processing the zip file contained in my test-case. Ok, thanks for confirmation. Leo, this bug will be made public sooner or later. Can we keep your test cases public, or would you prefer if we restrict access to your attachment? Can we share tests with other vendors? Thanks! Opening bug to add it to bodhi update requests. Attachment marked as private for now. Test case can be re-created by deflating input of Bufsize and re-inflating it again. I don't mind if you make the attachment available to the public. (I couldn't figure out how to do it myself... :-)) Thanks, done. cvs done. Updates: https://admin.fedoraproject.org/updates/perl-5.10.0-69.fc9 https://admin.fedoraproject.org/updates/perl-5.10.0-69.fc10 https://admin.fedoraproject.org/updates/perl-5.10.0-69.fc11 perl-Compress-Raw-Zlib-2.020-1 has been built for EPEL 4 and EPEL 5. perl-5.10.0-69.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. perl-5.10.0-73.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/perl-5.10.0-73.fc10 perl-5.10.0-73.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/perl-5.10.0-73.fc9 perl-5.10.0-73.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/perl-5.10.0-73.fc11 perl-5.10.0-73.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. |