-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ________________________________________________________________________ OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-securityat_private openpkgat_private OpenPKG-SA-2003.015 04-Mar-2003 ________________________________________________________________________ Package: zlib Vulnerability: denial of service, code execution OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= zlib-1.1.4-20020312 >= zlib-1.1.4-20030227 OpenPKG 1.2 <= zlib-1.1.4-1.2.0 >= zlib-1.1.4-1.2.1 OpenPKG 1.1 <= zlib-1.1.4-1.1.0 >= zlib-1.1.4-1.1.1 Affected Releases: Dependent Packages: OpenPKG CURRENT none (see NOTICE 2 below) OpenPKG 1.2 none (see NOTICE 2 below) OpenPKG 1.1 none (see NOTICE 2 below) Description: The zlib [0] compression library provides an API function gzprintf() which is a convenient printf(3) style formatted output function based on zlib's raw output function gzwrite(). Richard Kettlewell discovered [1] that the implementation of gzprintf() by default uses the portable but insecure vsprintf(3) and sprintf(3) functions (subject to buffer overflows), although optionally one was able to use the secure vsnprintf(3) and snprintf(3) functions. Unfortunately, even the optional use of vsnprintf(3) and snprintf(3) did not take the function return value (number of characters which were written or which would have been written in case a truncation took place) into account. As a result gzprintf() will smash the run-time stack if called with arguments that expand to more than Z_PRINTF_BUFSIZE (= 4096 by default) bytes. This allows attackers to cause a Denial of Service (DoS) or possibly execute arbitrary code. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0107 [2] to the problem. The OpenPKG zlib packages were fixed by adding the necessary configure script checks to always use the secure vsnprintf(3) and snprintf(3) functions. Additionally, the code was adjusted to correctly take into account the return value of vsnprintf(3) and snprintf(3) and especially makes sure that truncated writes are not performed (which in turn can lead to new security issues). NOTICE 1: Keep in mind that our particular code changes fix the problems on our six officially supported Unix platforms only (FreeBSD 4/5, Debian 2.2/3.0 and Solaris 8/9). It is not a general solution applicable to arbitrary Unix platforms where OpenPKG might also work. Please check whether you are affected by running "<prefix>/bin/rpm -q zlib". If you have the "zlib" package installed and its version is affected (see above), we recommend that you immediately upgrade it (see Solution) [3][4]. NOTICE 2: OpenPKG CURRENT currently has 49 packages depending on the "zlib" package and 7 packages which have a local copy of zlib embedded. Fortunately, none of those 56 packages use the affected gzprintf() function -- neither directly nor indirectly. Solution: Select the updated source RPM appropriate for your OpenPKG release [5][6], fetch it from the OpenPKG FTP service [7][8] or a mirror location, verify its integrity [9], build a corresponding binary RPM from it [3] and update your OpenPKG installation by applying the binary RPM [4]. For the current release OpenPKG 1.2, perform the following operations to permanently fix the security problem (for other releases adjust accordingly). $ ftp ftp.openpkg.org ftp> bin ftp> cd release/1.2/UPD ftp> get zlib-1.1.4-1.2.1.src.rpm ftp> bye $ <prefix>/bin/rpm -v --checksig zlib-1.1.4-1.2.1.src.rpm $ <prefix>/bin/rpm --rebuild zlib-1.1.4-1.2.1.src.rpm $ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/zlib-1.1.4-1.2.1.*.rpm ________________________________________________________________________ References: [0] http://www.gzip.org/zlib/ [1] http://online.securityfocus.com/archive/1/312869 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0107 [3] http://www.openpkg.org/tutorial.html#regular-source [4] http://www.openpkg.org/tutorial.html#regular-binary [5] ftp://ftp.openpkg.org/release/1.1/UPD/zlib-1.1.4-1.1.1.src.rpm [6] ftp://ftp.openpkg.org/release/1.2/UPD/zlib-1.1.4-1.2.1.src.rpm [7] ftp://ftp.openpkg.org/release/1.1/UPD/ [8] ftp://ftp.openpkg.org/release/1.2/UPD/ [9] http://www.openpkg.org/security.html#signature ________________________________________________________________________ For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkgat_private>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URL http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For instance, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkgat_private> iD8DBQE+ZNXUgHWT4GPEy58RAorLAJ42kiOkr5DK4LNMJpBQi77vrIBjkwCdHqKz mgzAuVVj36YHDmRp95U2uFc= =eLZA -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Mar 04 2003 - 13:29:15 PST