OpenPKG Security Advisory
OpenPKG-SA-2003.015
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2003.015 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2003.015 Advisory Published: 2010-03-12 23:12 UTC Issue Id (internal): OpenPKG-SI-20030304.02 Issue First Created: 2003-03-04 Issue Last Modified: 2006-11-28 Issue Revision: 05
Subject Name: zlib Subject Summary: zlib Compression Library Subject Home: http://www.gzip.org/zlib/ Subject Versions: * <= 1.1.4 Vulnerability Id: CVE-2003-0107 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service, arbitrary code execution Description: The zlib [0] compression library provides an API function gzprintf() which is a convenient printf(3) style formatted output function based on zlib's raw output function gzwrite(). Richard Kettlewell discovered [1] that the implementation of gzprintf() by default uses the portable but insecure vsprintf(3) and sprintf(3) functions (subject to buffer overflows), although optionally one was able to use the secure vsnprintf(3) and snprintf(3) functions. Unfortunately, even the optional use of vsnprintf(3) and snprintf(3) did not take the function return value (number of characters which were written or which would have been written in case a truncation took place) into account. As a result gzprintf() will smash the run-time stack if called with arguments that expand to more than Z_PRINTF_BUFSIZE (= 4096 by default) bytes. This allows attackers to cause a Denial of Service (DoS) or possibly execute arbitrary code. The OpenPKG zlib packages were fixed by adding the necessary configure script checks to always use the secure vsnprintf(3) and snprintf(3) functions. Additionally, the code was adjusted to correctly take into account the return value of vsnprintf(3) and snprintf(3) and especially makes sure that truncated writes are not performed (which in turn can lead to new security issues). NOTICE 1: Keep in mind that our particular code changes fix the problems on our six officially supported Unix platforms only (FreeBSD 4/5, Debian 2.2/3.0 and Solaris 8/9). It is not a general solution applicable to arbitrary Unix platforms where OpenPKG might also work. NOTICE 2: OpenPKG CURRENT currently has 49 packages depending on the "zlib" package and 7 packages which have a local copy of zlib embedded. Fortunately, none of those 56 packages use the affected gzprintf() function -- neither directly nor indirectly. References: [0] http://www.gzip.org/zlib/ [1] http://online.securityfocus.com/archive/1/312869 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0107 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/zlib-1.1.4-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/zlib-1.1.4-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature
Primary Package Name: zlib Primary Package Home: http://openpkg.org/go/package/zlib Affected Distribution: Affected Branch: Affected Package: OpenPKG Community 1.1-SOLID zlib-1.1.4-1.1.0 OpenPKG Community 1.2-SOLID zlib-1.1.4-1.2.0 OpenPKG Community CURRENT zlib-1.1.4-20020312 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Community 1.1-SOLID zlib-1.1.4-1.1.1 OpenPKG Community 1.2-SOLID zlib-1.1.4-1.2.1 OpenPKG Community CURRENT zlib-1.1.4-20030227
