SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Zlib Vendors:   Gzip.org
(Apple Issues Fix for OS X) zlib Compression Library Buffer Overflow in 'gzprintf()' May Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008253
SecurityTracker URL:  http://securitytracker.com/id/1008253
CVE Reference:   CAN-2003-0107   (Links to External Site)
Date:  Nov 20 2003
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1.4
Description:   A buffer overflow was reported in zlib when configured in a certain manner. The impact will vary depending on the application using the zlib compression library.

It is reported that, in the default configuration, the gzprintf() function can overflow the stack if called with arguments that expand to a length greater than that defined by the Z_PRINTF_BUFSIZE define statement (reported to be 4096 bytes by default).

According to the report, if the '#define (HAS_vsnprintf)' statement is enabled (which is not the default configuration and is apparently not documented), zlib will use the potentially safer vsnprintf() function instead of the vsprintf() function. However, overly long strings will be silently truncated by vsnprintf(), which may result in some security issues.

The specific impact of the stack overflow or the string truncation will depend on how an application uses zlib. It is possible that denial of service conditions could be introduced by local or remote users. It is also possible that arbitrary code could be executed by local or remote users.

A demonstration exploit transcript is provided in the Source Message.

The vendor has reportedly been notified.
Impact:   A remote or local user may be able to trigger a buffer overflow to execute arbitrary code, depending on the design of the application that uses the zlib library.
Solution:   Apple has released a fix as part of Security Update 2003-11-19 for Mac OS X 10.2.8 and for 10.3.1, available at:

* Software Update pane in System Preferences

* Apple's Software Downloads web site:

Security update 2003-11-19 for Jaguar 10.2.8
http://www.info.apple.com/kbnum/n120277
The download file is named: "SecurityUpd2003-11-19Jag.dmg"
Its SHA-1 digest is: bf6dfd69f084d1ffc0a0db9eff5252fb3213178b

Security Update 2003-11-19 for Panther 10.3.1
http://www.info.apple.com/kbnum/n120278
The download file is named: "SecurityUpd2003-11-19.dmg"
Its SHA-1 digest is: 0cfb4c9048859a2e8a60424400e081da5ff84b80
Vendor URL:  www.gzip.org/zlib/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   UNIX (OS X)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 23 2003 zlib Compression Library Buffer Overflow in 'gzprintf()' May Let Users Execute Arbitrary Code


 Source Message Contents
Date:  Wed, 19 Nov 2003 17:40:26 -0800
Subject:  APPLE-SA-2003-11-19 Security Update 2003-11-19


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2003-11-19 Security Update 2003-11-19

Security Update 2003-11-19 is now available for Mac OS X 10.2.8 and
Mac OS X 10.3.

It is Apple's policy to quickly address significant vulnerabilities in
past releases of Mac OS X wherever feasible.  Security Update
2003-11-19 includes updates to several components of Mac OS X v10.2
"Jaguar" that meet this criteria.

Updates for Mac OS X v10.2.8 "Jaguar" and Mac OS X Server v10.2.8
=================================================================

gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
utility. No setuid root programs relied on gm4 and this fix is a
preventive measure against a possible future exploit.

groff: Fixes VU#399883 where the groff component pic contained a
format-string vulnerability.

Mail: Fixes CAN-2003-0881 the Mac OS X Mail application will no longer
fall back to plain text login when an account is configured to use MD5
Challenge Response.

OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1
sequences are now handled in a more secure manner.

Personal File Sharing: Fixes CAN-2003-0878 when Personal File Sharing
is enabled, the slpd daemon can no longer create a root-owned file in
the /tmp directory to gain elevated privileges.

QuickTime for Java: Fixes CAN-2003-0871 a potential vulnerability that
could allow unauthorized access to a system.

zlib: Addresses CAN-2003-0107.  While there were no functions in Mac
OS X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed to protect any third-party applications
that may potentially use this library.


Updates for Mac OS X v10.3.1 "Panther" and Mac OS X Server v10.3.1
==================================================================

OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1
sequences are now handled in a more secure manner.

zlib: Addresses CAN-2003-0107.  While there were no functions in Mac
OS X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed to protect any third-party applications
that may potentially use this library.

================================================

Security Update 2003-11-19 may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:
  
    Security update 2003-11-19 for Jaguar 10.2.8
    http://www.info.apple.com/kbnum/n120277
    The download file is named: "SecurityUpd2003-11-19Jag.dmg"
    Its SHA-1 digest is: bf6dfd69f084d1ffc0a0db9eff5252fb3213178b

    Security Update 2003-11-19 for Panther 10.3.1
    http://www.info.apple.com/kbnum/n120278
    The download file is named: "SecurityUpd2003-11-19.dmg"
    Its SHA-1 digest is: 0cfb4c9048859a2e8a60424400e081da5ff84b80
    
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP7wbJ3eI0z6bzFr0AQLqBgf/VosadrRIxai1AJe4th5MfYPOSxz5aJBM
aMcuIdXhGLK01/Zynr//DSNSwJ1gPZefMQtFrvaF5BJvUS8hmWOu9PyCZbEo8hiX
YJc14ON7/edXEA0JDB9BuB6Hbaflh+DgW2FIp8pjDScvudtFheMWFPQDMhBR3Az3
B6y6lIe9olZ+wUsML9ireLzKfhBFZGF7c/kYIoSS4X5WlmQ19F30RdBbJI/b8Sn2
nIBgBM9YtgkuMVSoqhPgBPIrQLQ0Qa8NVPY9NpBjFHnDgpUjiqCtYYL97TATOiMi
khl84JnBdIOk8j/S8z1zTSPwMG1v7LJPxdzhMRC3UhdiKOHDPTrofg==
=DdeD
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC