[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030304164754.GA9399@en4.engelschall.com>
Date: Tue, 4 Mar 2003 17:47:54 +0100
From: OpenPKG <openpkg@...npkg.org>
To: bugtraq@...urityfocus.com
Subject: [OpenPKG-SA-2003.015] OpenPKG Security Advisory (zlib)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
openpkg-security@...npkg.org openpkg@...npkg.org
OpenPKG-SA-2003.015 04-Mar-2003
________________________________________________________________________
Package: zlib
Vulnerability: denial of service, code execution
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= zlib-1.1.4-20020312 >= zlib-1.1.4-20030227
OpenPKG 1.2 <= zlib-1.1.4-1.2.0 >= zlib-1.1.4-1.2.1
OpenPKG 1.1 <= zlib-1.1.4-1.1.0 >= zlib-1.1.4-1.1.1
Affected Releases: Dependent Packages:
OpenPKG CURRENT none (see NOTICE 2 below)
OpenPKG 1.2 none (see NOTICE 2 below)
OpenPKG 1.1 none (see NOTICE 2 below)
Description:
The zlib [0] compression library provides an API function gzprintf()
which is a convenient printf(3) style formatted output function based on
zlib's raw output function gzwrite(). Richard Kettlewell discovered [1]
that the implementation of gzprintf() by default uses the portable
but insecure vsprintf(3) and sprintf(3) functions (subject to buffer
overflows), although optionally one was able to use the secure
vsnprintf(3) and snprintf(3) functions. Unfortunately, even the
optional use of vsnprintf(3) and snprintf(3) did not take the function
return value (number of characters which were written or which would
have been written in case a truncation took place) into account.
As a result gzprintf() will smash the run-time stack if called with
arguments that expand to more than Z_PRINTF_BUFSIZE (= 4096 by
default) bytes. This allows attackers to cause a Denial of Service
(DoS) or possibly execute arbitrary code. The Common Vulnerabilities
and Exposures (CVE) project assigned the id CAN-2003-0107 [2] to the
problem.
The OpenPKG zlib packages were fixed by adding the necessary configure
script checks to always use the secure vsnprintf(3) and snprintf(3)
functions. Additionally, the code was adjusted to correctly take
into account the return value of vsnprintf(3) and snprintf(3) and
especially makes sure that truncated writes are not performed (which
in turn can lead to new security issues).
NOTICE 1: Keep in mind that our particular code changes fix the
problems on our six officially supported Unix platforms only (FreeBSD
4/5, Debian 2.2/3.0 and Solaris 8/9). It is not a general solution
applicable to arbitrary Unix platforms where OpenPKG might also work.
Please check whether you are affected by running "<prefix>/bin/rpm
-q zlib". If you have the "zlib" package installed and its version
is affected (see above), we recommend that you immediately upgrade
it (see Solution) [3][4].
NOTICE 2: OpenPKG CURRENT currently has 49 packages depending on
the "zlib" package and 7 packages which have a local copy of zlib
embedded. Fortunately, none of those 56 packages use the affected
gzprintf() function -- neither directly nor indirectly.
Solution:
Select the updated source RPM appropriate for your OpenPKG release
[5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
location, verify its integrity [9], build a corresponding binary RPM
from it [3] and update your OpenPKG installation by applying the binary
RPM [4]. For the current release OpenPKG 1.2, perform the following
operations to permanently fix the security problem (for other releases
adjust accordingly).
$ ftp ftp.openpkg.org
ftp> bin
ftp> cd release/1.2/UPD
ftp> get zlib-1.1.4-1.2.1.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig zlib-1.1.4-1.2.1.src.rpm
$ <prefix>/bin/rpm --rebuild zlib-1.1.4-1.2.1.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/zlib-1.1.4-1.2.1.*.rpm
________________________________________________________________________
References:
[0] http://www.gzip.org/zlib/
[1] http://online.securityfocus.com/archive/1/312869
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
[5] ftp://ftp.openpkg.org/release/1.1/UPD/zlib-1.1.4-1.1.1.src.rpm
[6] ftp://ftp.openpkg.org/release/1.2/UPD/zlib-1.1.4-1.2.1.src.rpm
[7] ftp://ftp.openpkg.org/release/1.1/UPD/
[8] ftp://ftp.openpkg.org/release/1.2/UPD/
[9] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@...npkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@...npkg.org>
iD8DBQE+ZNXUgHWT4GPEy58RAorLAJ42kiOkr5DK4LNMJpBQi77vrIBjkwCdHqKz
mgzAuVVj36YHDmRp95U2uFc=
=eLZA
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists