oss-sec mailing list archives
Re: zlib security audit by 7asecurity
From: Steffen Nurpmeso <steffen () sdaoden eu>
Date: Wed, 18 Feb 2026 01:58:30 +0100
Jan Engelhardt wrote in
<46s1o312-qrro-qp69-7oq8-61psn0nnr4o6 () vanv qr>:
|On Tuesday 2026-02-17 22:21, Simon Josefsson wrote:
|>Sam James <sam () gentoo org> writes:
|>
|>> * ZLB-01-001 WP2: Heap Buffer Overflow via Legacy gzprintf Implementatio\
|>> n (High)
|>
|>That vulnerability seems to require that zlib was built with
|>-DNO_vsnprintf -DNO_snprintf, targetting a system lacking 'snprintf'.
|>
|>Does anyone know of a real-world environment using that configuration?
|
|Does Borland C++ 1.01 for DOS count?
Jörg Schilling documented in ANNOUNCEMENTS/AN-2019-10-25
- libschily: A vsnprintf() implementaton has been added since this is
needed by SunPro Make and missing on Ultrix.
(Twenty+ years ago many projects had snprintf() built-in
fallbacks, often for %m, maybe (not sure) for grazy hexadecimal
grazy FP aka %a/%A. Now i have forgotten what i wanted to add.
Ah! The new zlib release brings a fix for 16-bit integers, so his
sense of real-world seems different from for example mine.)
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
Current thread:
- zlib security audit by 7asecurity Sam James (Feb 17)
- Re: zlib security audit by 7asecurity Simon Josefsson (Feb 17)
- Re: Re: zlib security audit by 7asecurity Jan Engelhardt (Feb 17)
- Re: zlib security audit by 7asecurity Steffen Nurpmeso (Feb 17)
- Re: Re: zlib security audit by 7asecurity Sevan Janiyan (Feb 17)
- Re: Re: zlib security audit by 7asecurity Sevan Janiyan (Feb 18)
- Re: Re: zlib security audit by 7asecurity Sevan Janiyan (Feb 18)
- Re: Re: zlib security audit by 7asecurity Jan Engelhardt (Feb 17)
- Re: zlib security audit by 7asecurity Simon Josefsson (Feb 17)