Vulnwatch: zlib prior to 1.2.2-r1 contains buffer overflow

[Chris Wysopal <weld () vulnwatch org>]

Secunia advisory: http://secunia.com/advisories/15949/

Any program that uses zlib is likely to be effected by this issue. An old
list of programs that use zlib is here:

http://www.gzip.org/zlib/apps.gz.html.

If the program statically links zlib the vendor will need to recompile and
issue a patch. If they just ship the dll it may be possible to just
replace the zlib.dll or zlib1.dll (on Windows). Usage of zlib is very
widespread and almost every major software vendor is using it. It effects
Unix, Linux, Mac OS X and Windows machines.

A quick file search of "zlib" on one Windows machine turned up the
following applications using the zlib dll. No doubt many more applications
have it statically linked.

BitTorrent
Ethereal
Trillian
Microsoft Office
Mozilla
HP LaserJet All-in-one
Netscape
DCplusplus
MySql
Shareaza
WinVNC

Here is the patch found on debian.org [1]

$ diff -Naur inftrees.c ../zlib-1.2.2.orig/
--- inftrees.c 2005-07-10 13:38:37.000000000 +0100
+++ ../zlib-1.2.2.orig/inftrees.c 2004-09-15 15:30:06.000000000 +0100
@@ -134,7 +134,7 @@
left -= count[len];
if (left < 0) return -1; /* over-subscribed */
}
- if (left > 0 && (type == CODES || max != 1))
+ if (left > 0 && (type == CODES || (codes - count[0] != 1)))
return -1; /* incomplete set */

The BSD flavors and many Linux flavors are already patched.


[1] posted to slashdot.org by alan () wylie me uk