[29004] in bugtraq
Re: buffer overrun in zlib 1.1.4
daemon@ATHENA.MIT.EDU (Carlo Marcelo Arenas Belon)
Mon Feb 24 12:47:26 2003
Date: Mon, 24 Feb 2003 07:25:11 -0500 (PET)
From: Carlo Marcelo Arenas Belon <carenas@chasqui.lared.net.pe>
To: Richard Kettlewell <rjk@greenend.org.uk>
In-Reply-To: <wwvptpl5gdg.fsf@rjk.greenend.org.uk>
Message-ID: <Pine.LNX.4.44.0302231636340.9527-200000@chasqui.LaRed.net.pe>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="633865674-1902989463-1046089511=:9527"
--633865674-1902989463-1046089511=:9527
Content-Type: TEXT/PLAIN; charset=US-ASCII
> There is an internal #define (HAS_vsnprintf) that causes it to use
> vsnprintf() instead of vsprintf(), but this is not enabled by default,
> not tested for by the configure script, and not documented.
the configure script on zlib is not generated by autoconf and is optional
when building; therefore there is no config.h, and the included file
"zconf.h" that is the one used for system related configuration is static.
something interesting though, is that the preprocessor variables being
tested are HAVE_* instead of HAS_* (HAS_vsnprintf and HAS_snprintf), as
the ones found on gzio.c, what could help to explain why it is not
documented, neither tested for.
from the Changelog it seems those functions were added on version 1.0.6
(Jan 19, 1998) by Roland Giersig and Kevin Ruland, and probably they never
included the test on configure for that.
> Even if it was documented, tested for, or whatever, it is unclear what
> platforms without vsnprintf() are supposed to do. Put up with the
> security hole, perhaps.
from the code it seems that they are supposed to use vsprintf (on an
ANSI C environment) or sprintf (if not ANSI C).
on any case, long strings will be silently truncated and overflows are
possible as the one you coded
> Finally, with HAS_vsnprintf defined, long strings will be silently
> truncated (and this isn't documented anywhere). Unexpected truncation
> of strings can have security implications too; I seem to recall that a
> popular MTA had trouble with over-long HELO strings for instance.
the attached patch fixes both of the problems, even if it breaks on
systems with a broken [v]snprintf (any one yet?) and that could be
considered a prerequisite for building, probably using a custom made
[v]snprintf implementation like the one on :
http://www.ijs.si/software/snprintf/
regards,
Carlo
--633865674-1902989463-1046089511=:9527
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="zlib-1.1.4-vsnprintf.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.44.0302240725110.9527@chasqui.LaRed.net.pe>
Content-Description: patch for zlib 1.1.4 that fixes buffer overrun on gzprintf
Content-Disposition: attachment; filename="zlib-1.1.4-vsnprintf.patch"
ZGlmZiAtdXIgemxpYi0xLjEuNC9jb25maWd1cmUgemxpYi0xLjEuNC12c25w
cmludGYvY29uZmlndXJlDQotLS0gemxpYi0xLjEuNC9jb25maWd1cmUJV2Vk
IEp1bCAgOCAxMzoxOTozNSAxOTk4DQorKysgemxpYi0xLjEuNC12c25wcmlu
dGYvY29uZmlndXJlCU1vbiBGZWIgMjQgMDA6MDY6NTUgMjAwMw0KQEAgLTE2
Nyw2ICsxNjcsNTQgQEANCiBmaQ0KIA0KIGNhdCA+ICR0ZXN0LmMgPDxFT0YN
CisjaW5jbHVkZSA8c3RkaW8uaD4NCisjaW5jbHVkZSAiemNvbmYuaCINCisN
CisjaWZkZWYgU1REQw0KKw0KKyNpbmNsdWRlIDxzdGRhcmcuaD4gDQorDQor
aW50IHRlc3QgKGNvbnN0IGNoYXIgKmZvcm1hdCwgLyogYXJncyAqLyAuLi4p
DQorew0KKyAgY2hhciBidWZbMTBdOw0KKyAgdmFfbGlzdCB2YTsNCisgIGlu
dCBsZW47DQorDQorICB2YV9zdGFydCh2YSwgZm9ybWF0KTsNCisgIGxlbiA9
IHZzbnByaW50ZihidWYsIHNpemVvZihidWYpLCBmb3JtYXQsIHZhKTsNCisg
IHZhX2VuZCh2YSk7DQorDQorICByZXR1cm4gbGVuOw0KK30NCisNCisjZWxz
ZSAvKiBub3QgQU5TSSBDICovDQorDQoraW50IHRlc3QoZm9ybWF0LCBhMSwg
YTIpDQorICBjb25zdCBjaGFyICpmb3JtYXQ7DQorICBpbnQgYTEsIGEyOw0K
K3sNCisgIGNoYXIgYnVmWzEwXTsNCisgIGludCBsZW47DQorDQorICBsZW4g
PSBzbnByaW50ZihidWYsIHNpemVvZihidWYpLCBmb3JtYXQsIGExLCBhMik7
DQorDQorICByZXR1cm4gbGVuOw0KK30NCisjZW5kaWYNCisNCitpbnQgbWFp
bih2b2lkKQ0KK3sNCisgIGV4aXQoMCk7DQorfQ0KK0VPRg0KK2lmIHRlc3Qg
ImAoJENDIC1jICRDRkxBR1MgJHRlc3QuYykgMj4mMWAiID0gIiI7IHRoZW4N
CisgIENGTEFHUz0iJENGTEFHUyAtREhBU192c25wcmludGYgLURIQVNfc25w
cmludGYiDQorICBlY2hvIENoZWNraW5nIGZvciBbdl1zbnByaW50ZiBzdXBw
b3J0Li4uIFllcy4NCitlbHNlDQorICBlY2hvIENoZWNraW5nIGZvciBbdl1z
bnByaW50ZiBzdXBwb3J0Li4uIE5vLg0KK2ZpDQorDQorY2F0ID4gJHRlc3Qu
YyA8PEVPRg0KICNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiAjaW5jbHVkZSA8
c3lzL21tYW4uaD4NCiAjaW5jbHVkZSA8c3lzL3N0YXQuaD4NCmRpZmYgLXVy
IHpsaWItMS4xLjQvZ3ppby5jIHpsaWItMS4xLjQtdnNucHJpbnRmL2d6aW8u
Yw0KLS0tIHpsaWItMS4xLjQvZ3ppby5jCU1vbiBNYXIgMTEgMDg6MTY6MDEg
MjAwMg0KKysrIHpsaWItMS4xLjQtdnNucHJpbnRmL2d6aW8uYwlNb24gRmVi
IDI0IDA3OjQ4OjM2IDIwMDMNCkBAIC01MzAsMTMgKzUzMCwxMiBAQA0KIA0K
ICAgICB2YV9zdGFydCh2YSwgZm9ybWF0KTsNCiAjaWZkZWYgSEFTX3ZzbnBy
aW50Zg0KLSAgICAodm9pZCl2c25wcmludGYoYnVmLCBzaXplb2YoYnVmKSwg
Zm9ybWF0LCB2YSk7DQorICAgIGxlbiA9IHZzbnByaW50ZihidWYsIHNpemVv
ZihidWYpLCBmb3JtYXQsIHZhKTsNCiAjZWxzZQ0KLSAgICAodm9pZCl2c3By
aW50ZihidWYsIGZvcm1hdCwgdmEpOw0KKyAgICBsZW4gPSB2c3ByaW50Zihi
dWYsIGZvcm1hdCwgdmEpOw0KICNlbmRpZg0KICAgICB2YV9lbmQodmEpOw0K
LSAgICBsZW4gPSBzdHJsZW4oYnVmKTsgLyogc29tZSAqc3ByaW50ZiBkb24n
dCByZXR1cm4gdGhlIG5iIG9mIGJ5dGVzIHdyaXR0ZW4gKi8NCi0gICAgaWYg
KGxlbiA8PSAwKSByZXR1cm4gMDsNCisgICAgaWYgKChsZW4gPD0gMCkgfHwg
KGxlbiA+PSBaX1BSSU5URl9CVUZTSVpFKSkgcmV0dXJuIDA7DQogDQogICAg
IHJldHVybiBnendyaXRlKGZpbGUsIGJ1ZiwgKHVuc2lnbmVkKWxlbik7DQog
fQ0KQEAgLTU1MywxNCArNTUyLDEzIEBADQogICAgIGludCBsZW47DQogDQog
I2lmZGVmIEhBU19zbnByaW50Zg0KLSAgICBzbnByaW50ZihidWYsIHNpemVv
ZihidWYpLCBmb3JtYXQsIGExLCBhMiwgYTMsIGE0LCBhNSwgYTYsIGE3LCBh
OCwNCisgICAgbGVuID0gc25wcmludGYoYnVmLCBzaXplb2YoYnVmKSwgZm9y
bWF0LCBhMSwgYTIsIGEzLCBhNCwgYTUsIGE2LCBhNywgYTgsDQogCSAgICAg
YTksIGExMCwgYTExLCBhMTIsIGExMywgYTE0LCBhMTUsIGExNiwgYTE3LCBh
MTgsIGExOSwgYTIwKTsNCiAjZWxzZQ0KLSAgICBzcHJpbnRmKGJ1ZiwgZm9y
bWF0LCBhMSwgYTIsIGEzLCBhNCwgYTUsIGE2LCBhNywgYTgsDQorICAgIGxl
biA9IHNwcmludGYoYnVmLCBmb3JtYXQsIGExLCBhMiwgYTMsIGE0LCBhNSwg
YTYsIGE3LCBhOCwNCiAJICAgIGE5LCBhMTAsIGExMSwgYTEyLCBhMTMsIGEx
NCwgYTE1LCBhMTYsIGExNywgYTE4LCBhMTksIGEyMCk7DQogI2VuZGlmDQot
ICAgIGxlbiA9IHN0cmxlbihidWYpOyAvKiBvbGQgc3ByaW50ZiBkb2Vzbid0
IHJldHVybiB0aGUgbmIgb2YgYnl0ZXMgd3JpdHRlbiAqLw0KLSAgICBpZiAo
bGVuIDw9IDApIHJldHVybiAwOw0KKyAgICBpZiAoKGxlbiA8PSAwKSB8fCAo
bGVuID49IFpfUFJJTlRGX0JVRlNJWkUpKSByZXR1cm4gMDsNCiANCiAgICAg
cmV0dXJuIGd6d3JpdGUoZmlsZSwgYnVmLCBsZW4pOw0KIH0NCg==
--633865674-1902989463-1046089511=:9527--
