(Sun Issues Fix) Re: zlib Compression Library Buffer Overflow in 'gzprintf()' May Let Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1007991 |
|
SecurityTracker URL: http://securitytracker.com/id/1007991
|
|
CVE Reference:
CAN-2003-0107
(Links to External Site)
|
Date: Oct 24 2003
|
Impact:
Execution of arbitrary code via local system, Execution of arbitrary code via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A buffer overflow was reported in zlib when configured in a certain manner. The impact will vary depending on the application using the zlib compression library.
It is reported that, in the default configuration, the gzprintf() function can overflow the stack if called with arguments that expand to a length greater than that defined by the Z_PRINTF_BUFSIZE define statement (reported to be 4096 bytes by default).
According to the report, if the '#define (HAS_vsnprintf)' statement is enabled (which is not the default configuration and is apparently not documented), zlib will use the potentially safer vsnprintf() function instead of the vsprintf() function. However, overly long strings will be silently truncated by vsnprintf(), which may result in some security issues.
The specific impact of the stack overflow or the string truncation will depend on how an application uses zlib. It is possible that denial of service conditions could be introduced by local or remote users. It is also possible that arbitrary code could be executed by local or remote users.
A demonstration exploit transcript is provided in the Source Message.
The vendor has reportedly been notified.
|
Impact:
A remote or local user may be able to trigger a buffer overflow to execute arbitrary code, depending on the design of the application that uses the zlib library.
|
Solution:
Sun has issued the following fixes:
SPARC Platform
Solaris 8 with patch 112611-02 or later
Solaris 9 with patch 115754-02 or later
x86 Platform
Solaris 8 with patch 112612-02 or later
Solaris 9 with patch 115755-02 or later
|
Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57405 (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (Solaris - SunOS)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 23 Oct 2003 23:10:05 -0400
Subject: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57405
|
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57405
57405 Security Vulnerability in Solaris zlib(libz(3)) Compression Library Function
gzprintf( ) 22 Oct 2003
Sun issued a fix for a vulnerability in zlib(libz(3)). Applications that are linked with
"zlib" and use the gzprintf() function may be affected by the vulnerability.
This issue is described in CERT Vulnerability VU#142121 (see
http://www.kb.cert.org/vuls/id/142121).
Solaris 8 and 9 are affected.
CVE: CAN-2003-0107
Sun has issued the following fixes:
SPARC Platform
Solaris 8 with patch 112611-02 or later
Solaris 9 with patch 115754-02 or later
x86 Platform
Solaris 8 with patch 112612-02 or later
Solaris 9 with patch 115755-02 or later
-----
Sun Alert ID: 57405
Synopsis: Security Vulnerability in Solaris zlib(libz(3)) Compression Library Function
gzprintf()
Category: Security
Product: Solaris
BugIDs: 4822658
Avoidance: Patch
State: Resolved
Date Released: 22-Oct-2003
Date Closed: 22-Oct-2003
Date Modified:
|
|
