[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2003.015-zlib.txt

Tue, 04 Mar 2003 08:29:08 -0800 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   04-Mar-2003 17:30:24
  Branch: HEAD                             Handle: 2003030416302300

  Modified files:
    openpkg-web/security    OpenPKG-SA-2003.015-zlib.txt

  Log:
    wooohhoo, we seem to have luck this time

  Summary:
    Revision    Changes     Path
    1.2         +25 -20     openpkg-web/security/OpenPKG-SA-2003.015-zlib.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2003.015-zlib.txt
  ============================================================================
  $ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.015-zlib.txt
  --- openpkg-web/security/OpenPKG-SA-2003.015-zlib.txt 4 Mar 2003 15:36:41 -0000      
 1.1
  +++ openpkg-web/security/OpenPKG-SA-2003.015-zlib.txt 4 Mar 2003 16:30:23 -0000      
 1.2
  @@ -3,7 +3,7 @@
   OpenPKG Security Advisory                            The OpenPKG Project
   http://www.openpkg.org/security.html              http://www.openpkg.org
   [EMAIL PROTECTED]                         [EMAIL PROTECTED]
  -OpenPKG-SA-2003.015                                          03-Mar-2003
  +OpenPKG-SA-2003.015                                          04-Mar-2003
   ________________________________________________________________________
   
   Package:             zlib
  @@ -16,21 +16,21 @@
   OpenPKG 1.1          <= zlib-1.1.4-1.1.0     >= zlib-1.1.4-1.1.1
   
   Affected Releases:   Dependent Packages:
  -OpenPKG CURRENT      bar quux
  -OpenPKG 1.2          bar quux
  -OpenPKG 1.1          bar 
  +OpenPKG CURRENT      none (see NOTICE 2 below)
  +OpenPKG 1.2          none (see NOTICE 2 below)
  +OpenPKG 1.1          none (see NOTICE 2 below)
   
   Description:
     The zlib [0] compression library provides an API function gzprintf()
  -  which is a convinient printf(3) style formatted output function
  -  based on zlib's raw output function gzwrite(). Richard Kettlewell
  -  discovered [1] that the implementation of gzprintf() by default uses
  -  the portable but unsecure vsprintf(3) function (subject to buffer
  -  overflow), although optionally one was able to enable the use of the
  -  secure vsnprintf(3) function. Unfortunately, even the optional use
  -  of vsnprintf(3) did not take the function return value (number of
  -  characters which were written or which would have been written in case
  -  a truncation took place) into account.
  +  which is a convenient printf(3) style formatted output function based on
  +  zlib's raw output function gzwrite(). Richard Kettlewell discovered [1] 
  +  that the implementation of gzprintf() by default uses the portable
  +  but unsecure vsprintf(3) and sprintf(3) functions (subject to buffer
  +  overflows), although optionally one was able to use the secure
  +  vsnprintf(3) and snprintf(3) functions. Unfortunately, even the
  +  optional use of vsnprintf(3) and snprintf(3) did not take the function
  +  return value (number of characters which were written or which would
  +  have been written in case a truncation took place) into account.
     
     As a result gzprintf() will smash the run-time stack if called with
     arguments that expand to more than Z_PRINTF_BUFSIZE (= 4096 by
  @@ -40,12 +40,13 @@
     problem.
   
     The OpenPKG zlib packages were fixed by adding the necessary configure
  -  script checks to always use the secure vsnprintf(3). Additionally, the
  -  code was adjusted to correctly take into account the return value of
  -  vsnprintf(3) and especially makes sure that truncated writes are not
  -  performed (which in turn can lead to new security issues).
  +  script checks to always use the secure vsnprintf(3) and snprintf(3)
  +  functions. Additionally, the code was adjusted to correctly take
  +  into account the return value of vsnprintf(3) and snprintf(3) and
  +  especially makes sure that truncated writes are not performed (which
  +  in turn can lead to new security issues).
     
  -  NOTICE: Keep in mind that our particular code changes fix the
  +  NOTICE 1: Keep in mind that our particular code changes fix the
     problems on our six officially supported Unix platforms only (FreeBSD
     4/5, Debian 2.2/3.0 and Solaris 8/9). It is not a general solution
     applicable to arbitrary Unix platforms where OpenPKG might also work.
  @@ -53,8 +54,12 @@
     Please check whether you are affected by running "<prefix>/bin/rpm
     -q zlib". If you have the "zlib" package installed and its version
     is affected (see above), we recommend that you immediately upgrade
  -  it (see Solution) and it's dependent packages (see above), if any,
  -  too. [3][4]
  +  it (see Solution) [3][4].
  +
  +  NOTICE 2: OpenPKG CURRENT currently has 49 packages depending on
  +  the "zlib" package and 7 packages which have a local copy of zlib
  +  embedded. Fortunately, none of those 56 packages use the affected
  +  gzprintf() function -- neither directly or indirectly.
   
   Solution:
     Select the updated source RPM appropriate for your OpenPKG release
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]

Reply via email to