Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Apple Issues Fix) zlib Compression Library Buffer Overflow in 'gzprintf()' May Let Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1008229 |
|
SecurityTracker URL: http://securitytracker.com/id/1008229
|
|
CVE Reference:
CAN-2003-0107
(Links to External Site)
|
Date: Nov 18 2003
|
Impact:
Execution of arbitrary code via local system, Execution of arbitrary code via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.1.4
|
Description:
A buffer overflow was reported in zlib when configured in a certain manner. The impact will vary depending on the application using the zlib compression library.
It is reported that, in the default configuration, the gzprintf() function can overflow the stack if called with arguments that expand to a length greater than that defined by the Z_PRINTF_BUFSIZE define statement (reported to be 4096 bytes by default).
According to the report, if the '#define (HAS_vsnprintf)' statement is enabled (which is not the default configuration and is apparently not documented), zlib will use the potentially safer vsnprintf() function instead of the vsprintf() function. However, overly long strings will be silently truncated by vsnprintf(), which may result in some security issues.
The specific impact of the stack overflow or the string truncation will depend on how an application uses zlib. It is possible that denial of service conditions could be introduced by local or remote users. It is also possible that arbitrary code could be executed by local or remote users.
A demonstration exploit transcript is provided in the Source Message.
The vendor has reportedly been notified.
|
Impact:
A remote or local user may be able to trigger a buffer overflow to execute arbitrary code, depending on the design of the application that uses the zlib library.
|
Solution:
Apple has released a fix for Mac OS X as part of Mac OS X 10.3 Panther.
|
Vendor URL: www.gzip.org/zlib/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
UNIX (OS X)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 28 Oct 2003 09:46:35 -0800
Subject: APPLE-SA-2003-10-28 Mac OS X 10.3 Panther
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2003-10-28 Mac OS X 10.3 Panther
Mac OS X 10.3 Panther has been released, and it contains the following
security enhancements:
Finder: Fixes CAN-2003-0876 where folder permissions may not be
preserved when copying a folder from a mounted volume such as a
disk image. Credit to Dave G. from @stake, Inc. for finding this
issue.
Kernel: Fixes CAN-2003-0877 where if a system is running with core
files enabled, a user with interactive shell access can overwrite
arbitrary files, and read core files created by root-owned
processes. This may result in sensitive information such as
authentication credentials being compromised. Core file creation is
disabled by default on Mac OS X. Credit to Dave G. from @stake,
Inc. for finding this issue.
slpd: Fixes CAN-2003-0878 when Personal File Sharing is enabled, the
slpd daemon may create a root-owned file in the /tmp directory.
This could overwrite an existing file and allow a user to gain
elevated privileges. Personal File Sharing is off by default in Mac
OS X. Credit to Dave G. from @stake, Inc. for finding this issue.
Kernel: Fixes CAN-2003-0895 where it may be possible for a local user
to cause the Mac OS X kernel to crash by specifying a long command
line argument. The machine will reboot on its own after several
minutes. Credit to Dave G. from @stake, Inc. for finding this
issue.
ktrace: Fixes CVE-2002-0701 a theoretical exploit when ktrace is
enabled through the KTRACE kernel option, a local user might be
able to obtain sensitive information. No specific utility is
currently known to be vulnerable to this particular problem.
nfs: Fixes CVE-2002-0830 for the Network File System where a remote
user may be able to send RPC messages that cause the system to lock
up.
zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS
X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed.
gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
utility. No setuid root programs relied on gm4 and this fix is a
preventative measure against a possible future exploit.
OpenSSH: Fixes CAN-2003-0386 where "from=" and "user@hosts"
restrictions are potentially spoofable via reverse DNS for
numerically specified IP addresses. Mac OS X 10.3 also incorporates
prior fixes released for OpenSSH, and the version of OpenSSH as
obtained via the "ssh -V" command is:
OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
0x0090702f
nidump: Fixes CAN-2001-1412 where the nidump utility provides access
to the crypted passwords used to authenticate logins.
System Preferences: Fixes CAN-2003-0883 where after authenticating
with an administrator password, the system will continue to allow
access to secure Preference Panes for a short period of time. This
could allow a local user to access Preference Panes that they would
not normally be able to use. In Mac OS X 10.3 Security
preferences, there is now a choice to "Require password to unlock
each secure system preference". Credit to Anthony Holder for
reporting this issue.
TCP timestamp: Fixes CAN-2003-0882 where the TCP timestamp is
initialized with a constant number. This could allow a person to
discover how long the system has been up based upon the ID in TCP
packets. In Mac OS X 10.3, the TCP timestamp is now initialized
with a random number. Credit to Aaron Linville for reporting this
issue and submitting a fix via the Darwin open source program.
Mail: Fixes CAN-2003-0881 in the Mac OS X Mail application, if an
account is configured to use MD5 Challenge Response, it will
attempt to login using CRAM-MD5 but will silently fall back to
plain-text if the hashed login fails. Credit to Chris Adams for
reporting this issue.
Dock: Fixes CAN-2003-0880 when Full Keyboard Access is turned on via
the Keyboard pane in System Preferences, Dock functions can be
accessed blindly from behind Screen Effects.
Other security features: Mac OS X 10.3 contains a number of other
security features which may be found at:
http://www.apple.com/macosx/features/security/
================================================
Further information on Mac OS X 10.3 may be obtained from:
http://www.apple.com/macosx/
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBP56rFXeI0z6bzFr0AQIvKAgAg781rk+PU4rGZAo4/5z6OCD6f8cdy7ra
cyP9Ojg8u58g4UisHF4cF9gvVq99TT5WXhMEHZHE+/TFetUj08xyY6q5FJa9VtNg
YcO66fwHGKjB7AlXJmux/nwV0r2x8hqyx2Q0PHCgPMo9MWtO3/tUM6Gpc8kA/JeH
Rd0Csw3ejm4zBIP/t5C5QY/20KZJ9i5S48Nw6neLmJf/mBAfjvMkZM1R+pPN/58A
BwSiuILg8qxE2kf4roMJUTSOf8ToFGTD8X5sp/p15YBzjvknVV5ls7XHCwlkz+iF
W04E3CFbeX9ixTtrHPzStPKAtiRwai1oqx0LRd2mApnYTvbl9lMCOw==
=PJi8
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
|
|
Go to the Top of This SecurityTracker Archive Page
|
