Home page logo
/

bugtraq logo Bugtraq mailing list archives

[OpenPKG-SA-2003.015] OpenPKG Security Advisory (zlib)
From: OpenPKG <openpkg () openpkg org>
Date: Tue, 4 Mar 2003 17:47:54 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security () openpkg org                         openpkg () openpkg org
OpenPKG-SA-2003.015                                          04-Mar-2003
________________________________________________________________________

Package:             zlib
Vulnerability:       denial of service, code execution
OpenPKG Specific:    no

Affected Releases:   Affected Packages:      Corrected Packages:
OpenPKG CURRENT      <= zlib-1.1.4-20020312  >= zlib-1.1.4-20030227
OpenPKG 1.2          <= zlib-1.1.4-1.2.0     >= zlib-1.1.4-1.2.1
OpenPKG 1.1          <= zlib-1.1.4-1.1.0     >= zlib-1.1.4-1.1.1

Affected Releases:   Dependent Packages:
OpenPKG CURRENT      none (see NOTICE 2 below)
OpenPKG 1.2          none (see NOTICE 2 below)
OpenPKG 1.1          none (see NOTICE 2 below)

Description:
  The zlib [0] compression library provides an API function gzprintf()
  which is a convenient printf(3) style formatted output function based on
  zlib's raw output function gzwrite(). Richard Kettlewell discovered [1] 
  that the implementation of gzprintf() by default uses the portable
  but insecure vsprintf(3) and sprintf(3) functions (subject to buffer
  overflows), although optionally one was able to use the secure
  vsnprintf(3) and snprintf(3) functions. Unfortunately, even the
  optional use of vsnprintf(3) and snprintf(3) did not take the function
  return value (number of characters which were written or which would
  have been written in case a truncation took place) into account.
  
  As a result gzprintf() will smash the run-time stack if called with
  arguments that expand to more than Z_PRINTF_BUFSIZE (= 4096 by
  default) bytes. This allows attackers to cause a Denial of Service
  (DoS) or possibly execute arbitrary code. The Common Vulnerabilities
  and Exposures (CVE) project assigned the id CAN-2003-0107 [2] to the
  problem.

  The OpenPKG zlib packages were fixed by adding the necessary configure
  script checks to always use the secure vsnprintf(3) and snprintf(3)
  functions. Additionally, the code was adjusted to correctly take
  into account the return value of vsnprintf(3) and snprintf(3) and
  especially makes sure that truncated writes are not performed (which
  in turn can lead to new security issues).
  
  NOTICE 1: Keep in mind that our particular code changes fix the
  problems on our six officially supported Unix platforms only (FreeBSD
  4/5, Debian 2.2/3.0 and Solaris 8/9). It is not a general solution
  applicable to arbitrary Unix platforms where OpenPKG might also work.

  Please check whether you are affected by running "<prefix>/bin/rpm
  -q zlib". If you have the "zlib" package installed and its version
  is affected (see above), we recommend that you immediately upgrade
  it (see Solution) [3][4].

  NOTICE 2: OpenPKG CURRENT currently has 49 packages depending on
  the "zlib" package and 7 packages which have a local copy of zlib
  embedded. Fortunately, none of those 56 packages use the affected
  gzprintf() function -- neither directly nor indirectly.

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the binary
  RPM [4]. For the current release OpenPKG 1.2, perform the following
  operations to permanently fix the security problem (for other releases
  adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.2/UPD
  ftp> get zlib-1.1.4-1.2.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig zlib-1.1.4-1.2.1.src.rpm
  $ <prefix>/bin/rpm --rebuild zlib-1.1.4-1.2.1.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/zlib-1.1.4-1.2.1.*.rpm
________________________________________________________________________

References:
  [0] http://www.gzip.org/zlib/
  [1] http://online.securityfocus.com/archive/1/312869
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/1.1/UPD/zlib-1.1.4-1.1.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/1.2/UPD/zlib-1.1.4-1.2.1.src.rpm
  [7] ftp://ftp.openpkg.org/release/1.1/UPD/
  [8] ftp://ftp.openpkg.org/release/1.2/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg () openpkg org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg () openpkg org>

iD8DBQE+ZNXUgHWT4GPEy58RAorLAJ42kiOkr5DK4LNMJpBQi77vrIBjkwCdHqKz
mgzAuVVj36YHDmRp95U2uFc=
=eLZA
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • [OpenPKG-SA-2003.015] OpenPKG Security Advisory (zlib) OpenPKG (Mar 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault