84961 – buffer overrun on gzprintf

Bug 84961 - buffer overrun on gzprintf

Summary: buffer overrun on gzprintf

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	zlib
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jeff Johnson
QA Contact:	Mike McLean
Docs Contact:
URL:	http://www.securityfocus.com/archive/...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2003-02-24 12:45 UTC by Arenas Belon, Carlo Marcelo
Modified:	2007-04-18 16:51 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2003-02-25 02:34:45 UTC
Embargoed:

Attachments	(Terms of Use)
zlib 1.1.4 patch that test for [v]snprintf support and fixes overflow (2.36 KB, patch) 2003-02-24 12:48 UTC, Arenas Belon, Carlo Marcelo	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2003:079	0	low	SHIPPED_LIVE	: Updated zlib packages fix gzprintf buffer overflow vulnerability	2003-04-29 04:00:00 UTC

Description Arenas Belon, Carlo Marcelo 2003-02-24 12:45:08 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461; .NET 
CLR 1.0.3705)

Description of problem:
when the function gzprintf is called with a string bigger than Z_PRINTF_BUFZISE 
it overflows without giving a warning.

it defaults to the unsafe functions unless instructed at compile time to use 
the secure ones that won't overflow, no warning is given of an error on those 
cases though

Version-Release number of selected component (if applicable): ALL


How reproducible:
Always

Steps to Reproduce:
1. compile code on URL
2. execute
3. 
    

Actual Results:  execution error

Expected Results:  non fatal errors returned from the gzprintf call

Additional info: this error is also present on the current rawhide version of 
zlib and in the older releases

Comment 1 Arenas Belon, Carlo Marcelo 2003-02-24 12:48:56 UTC

Created attachment 90308 [details]
zlib 1.1.4 patch that test for [v]snprintf support and fixes overflow

Comment 2 Mark J. Cox 2003-02-24 14:20:04 UTC

Announcement of this issue is here:
http://online.securityfocus.com/archive/1/312869

Comment 3 Jeff Johnson 2003-02-24 18:40:51 UTC

FIxed in zli8b-1.1.4-8.

Comment 4 Arenas Belon, Carlo Marcelo 2003-02-24 19:02:51 UTC

the Rawhide package was also affected, but this bug was introduced on zlib on 
1.0.6 (Jan 19, 1998), and therefore all of the currently suported releases are 
vulnerable.

i would recommend an errata for zlib and the packages that use it statically 
linked

even if the rawhide release (couldn't test it though as it is not yet 
available) is fixed, the zlib package i reported with the problem (the one on 
RH 7.3) needs still a fix that only an errata and not a rawhide package could 
provide IMHO

Comment 5 Jeff Johnson 2003-02-25 02:34:45 UTC

A preliminary audit shows only
   rpm2html
   gimp-print
actually using gzprintf. That's hardly enough
to justify an errata, but that's not my call.

An errata will be issued if the risk is deemed
sufficiently high. Meanwhile, the patch is applied in
Raw Hide.

Comment 6 Mark J. Cox 2003-04-29 08:11:33 UTC

An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-079.html

Note You need to log in before you can comment on or make changes to this bug.