Fw: [OpenPKG-SA-2003.015] OpenPKG Security Advisory (zlib)

Niki Guldbrand nikig at vip.cybercity.dk
Fri Mar 7 10:06:44 GMT 2003 

Hi all.

the zlib gzprint() bug does not seem to affect programs with zlib
embeded into them

See the "NOTICE 2" section.



Begin forwarded message:

Date: Tue, 4 Mar 2003 17:47:54 +0100
From: OpenPKG <openpkg at openpkg.org>
To: bugtraq at securityfocus.com
Subject: [OpenPKG-SA-2003.015] OpenPKG Security Advisory (zlib)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security at openpkg.org                         openpkg at openpkg.org
OpenPKG-SA-2003.015                                          04-Mar-2003
________________________________________________________________________

Package:             zlib
Vulnerability:       denial of service, code execution
OpenPKG Specific:    no

Affected Releases:   Affected Packages:      Corrected Packages:
OpenPKG CURRENT      <= zlib-1.1.4-20020312  >= zlib-1.1.4-20030227
OpenPKG 1.2          <= zlib-1.1.4-1.2.0     >= zlib-1.1.4-1.2.1
OpenPKG 1.1          <= zlib-1.1.4-1.1.0     >= zlib-1.1.4-1.1.1

Affected Releases:   Dependent Packages:
OpenPKG CURRENT      none (see NOTICE 2 below)
OpenPKG 1.2          none (see NOTICE 2 below)
OpenPKG 1.1          none (see NOTICE 2 below)

Description:
  The zlib [0] compression library provides an API function gzprintf()
  which is a convenient printf(3) style formatted output function based
on
  zlib's raw output function gzwrite(). Richard Kettlewell discovered
[1] 
  that the implementation of gzprintf() by default uses the portable
  but insecure vsprintf(3) and sprintf(3) functions (subject to buffer
  overflows), although optionally one was able to use the secure
  vsnprintf(3) and snprintf(3) functions. Unfortunately, even the
  optional use of vsnprintf(3) and snprintf(3) did not take the function
  return value (number of characters which were written or which would
  have been written in case a truncation took place) into account.
  
  As a result gzprintf() will smash the run-time stack if called with
  arguments that expand to more than Z_PRINTF_BUFSIZE (= 4096 by
  default) bytes. This allows attackers to cause a Denial of Service
  (DoS) or possibly execute arbitrary code. The Common Vulnerabilities
  and Exposures (CVE) project assigned the id CAN-2003-0107 [2] to the
  problem.

  The OpenPKG zlib packages were fixed by adding the necessary configure
  script checks to always use the secure vsnprintf(3) and snprintf(3)
  functions. Additionally, the code was adjusted to correctly take
  into account the return value of vsnprintf(3) and snprintf(3) and
  especially makes sure that truncated writes are not performed (which
  in turn can lead to new security issues).
  
  NOTICE 1: Keep in mind that our particular code changes fix the
  problems on our six officially supported Unix platforms only (FreeBSD
  4/5, Debian 2.2/3.0 and Solaris 8/9). It is not a general solution
  applicable to arbitrary Unix platforms where OpenPKG might also work.

  Please check whether you are affected by running "<prefix>/bin/rpm
  -q zlib". If you have the "zlib" package installed and its version
  is affected (see above), we recommend that you immediately upgrade
  it (see Solution) [3][4].

  NOTICE 2: OpenPKG CURRENT currently has 49 packages depending on
  the "zlib" package and 7 packages which have a local copy of zlib
  embedded. Fortunately, none of those 56 packages use the affected
  gzprintf() function -- neither directly nor indirectly.

Solution:
  Select the updated source RPM appropriate for your OpenPKG release
  [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror
  location, verify its integrity [9], build a corresponding binary RPM
  from it [3] and update your OpenPKG installation by applying the
binary
  RPM [4]. For the current release OpenPKG 1.2, perform the following
  operations to permanently fix the security problem (for other releases
  adjust accordingly).

  $ ftp ftp.openpkg.org
  ftp> bin
  ftp> cd release/1.2/UPD
  ftp> get zlib-1.1.4-1.2.1.src.rpm
  ftp> bye
  $ <prefix>/bin/rpm -v --checksig zlib-1.1.4-1.2.1.src.rpm
  $ <prefix>/bin/rpm --rebuild zlib-1.1.4-1.2.1.src.rpm
  $ su -
  # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/zlib-1.1.4-1.2.1.*.rpm
________________________________________________________________________

References:
  [0] http://www.gzip.org/zlib/
  [1] http://online.securityfocus.com/archive/1/312869
  [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107
  [3] http://www.openpkg.org/tutorial.html#regular-source
  [4] http://www.openpkg.org/tutorial.html#regular-binary
  [5] ftp://ftp.openpkg.org/release/1.1/UPD/zlib-1.1.4-1.1.1.src.rpm
  [6] ftp://ftp.openpkg.org/release/1.2/UPD/zlib-1.1.4-1.2.1.src.rpm
  [7] ftp://ftp.openpkg.org/release/1.1/UPD/
  [8] ftp://ftp.openpkg.org/release/1.2/UPD/
  [9] http://www.openpkg.org/security.html#signature
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg at openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (http://www.gnupg.org/). For instance, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg at openpkg.org>

iD8DBQE+ZNXUgHWT4GPEy58RAorLAJ42kiOkr5DK4LNMJpBQi77vrIBjkwCdHqKz
mgzAuVVj36YHDmRp95U2uFc=
=eLZA
-----END PGP SIGNATURE-----


-- 
Med Venlig Hilsen / Best Regards
                              |  Teleservice Esbjerg A/S
Niki Guldbrand                |  Salingsundvej 4
IT-Administrator              |  6715 Esbjerg N
                              |  Denmark
Phone         : +45 79144544  |
Direct Phone  : +45 79144589  |  Web : http://www.teleservice.com
Fax           : +45 79144599  |

E-Mail        : Niki.Guldbrand at teleservice.com

--------------
	page 46
...a report citing a study by Dr. Thomas C. Chalmers, of the Mount Sinai
Medical Center in New York, which compared two groups that were being
used
to test the theory that ascorbic acid is a cold preventative.  "The
group
on placebo who thought they were on ascorbic acid," says Dr. Chalmers,
"had fewer colds than the group on ascorbic acid who thought they were
on placebo."
	page 56
The placebo is proof that there is no real separation between mind and
body.
Illness is always an interaction between both.  It can begin in the mind
and
affect the body, or it can begin in the body and affect the mind, both
of
which are served by the same bloodstream.  Attempts to treat most mental
diseases as though they were completely free of physical causes and
attempts
to treat most bodily diseases as though the mind were in no way involved
must
be considered archaic in the light of new evidence about the way the
human
body functions.
		-- Norman Cousins,
		"Anatomy of an Illness as Perceived by the Patient"
--------------

More information about the Lunar-dev mailing list