zlib gzprintf buffer overflow

zlib-gzprintf-bo (11381)

High Risk

Description:

zlib is vulnerable to a denial of service attack, caused by a buffer overflow in the gzprintf function. By passing 4096 or more bytes to the gzprintf function in zlib, a local attacker could overflow a buffer and cause zlib to crash or execute arbitrary code on the system with elevated privileges.

Consequences:

Gain Privileges

Remedy:

For VMware:
Refer to VMSA-2007-0003 for patch, upgrade or suggested workaround information. See References.

For OpenPKG:
Upgrade to the latest zlib package, as listed below. Refer to OpenPKG Security Advisory OpenPKG-SA-2003.015 for more information. See References.

OpenPKG CURRENT: 1.1.4-20030227 or later
OpenPKG 1.2: 1.1.4-1.2.1 or later
OpenPKG 1.1: 1.1.4-1.1.1 or later

For Caldera UnixWare 7.1.1, 7.1.3, and OpenUnix 8.0.0: Upgrade to the latest libz package (1.1.4-2 or later), as listed in SCO Security Advisory CSSA-2003-011.0. See References.

For Mandrake Linux:
Upgrade to the latest zlib package as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:033:zlib for more information. See References.

Mandrake Linux 7.2 and Single Network Firewall 7.2: 1.1.3-11.2mdk or later
Mandrake Linux 8.0 and 8.1: 1.1.3-16.2mdk or later
Mandrake Linux 8.2 and Multi Network Firewall 8.2: 1.1.3-19.1mdk or later
Mandrake Linux 9.0 and Corporate Server 2.1: 1.1.4-5.1mdk or later

For Gentoo Linux:
Upgrade to the latest version of zlib (1.1.4-r1 or later), as listed in Gentoo Linux Security Announcement 200303-25. See References.

For Conectiva Linux:
Upgrade to the latest zlib package, as listed below. Refer to Connectiva Linux Security Announcement CLSA-2003:619 for more information. See References.

Conectiva Linux 6.0: 1.1.3-15U60_2cl or later
Conectiva Linux 7.0: 1.1.3-15U70_2cl or later
Conectiva Linux 8: 1.1.3-16U80_1cl or later

For Red Hat Linux:
Upgrade to the latest zlib package, as listed below. Refer to RHSA-2003:079-10 for more information. See References.

Red Hat 7.1, 7.2, and 7.3: 1.1.4-8.7x or later
Red Hat 8.0: 1.1.4-8.8x or later

For Immunix 7+:
Upgrade to the latest version of zlib (1.1.3-25.7_imnx_2 or later), as listed in Immunix Secured OS Security Advisory IMNX-2003-7+-015-01. See References.

For Sun Solaris:
Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 57405 for more information. See References.

(Sparc)
Solaris 8: 112611-02 or later
Solaris 9: 115754-02 or later

(Intel)
Solaris 8: 112612-02 or later
Solaris 9: 115755-02 or later

For SGI IRIX:
Apply the patch for this vulnerability, as listed in SGI Security Advisory 20031002-01-U. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• BugTraq Mailing List, 2003-02-23 18:38:40: poc zlib sploit just for fun :).
• BugTraq Mailing List, Fri Feb 21 2003 - 18:05:47 CST: buffer overrun in zlib 1.1.4 .
• BugTraq Mailing List, Tue Feb 25 2003 - 12:22:57 CST: [sorcerer-spells] ZLIB-SORCERER2003-02-25.
• BugTraq Mailing List, Wed Apr 04 2007 - 15:20:26 CDT : VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates.
• Conectiva Linux Security Announcement CLSA-2003:619: zlib.
• Gentoo Linux Security Announcement 200303-25: zlib. (From LinuxSecurity archive)
• Immunix Secured OS Security Advisory IMNX-2003-7+-015-01: zlib. (From LinuxSecurity archive)
• SCO Security Advisory CSSA-2003-011.0: Linux: format string vulnerability in zlib (gzprintf).
• SGI Security Advisory 20031002-01-U: SGI Advanced Linux Environment security update #3.
• Sun Alert ID: 57405: Security Vulnerability in Solaris zlib(libz(3)) Compression Library Function gzprintf( ).
• zlib Web site: zlib.
• BID-6913: Zlib Compression Library gzprintf() Buffer Overrun Vulnerability
• BID-9074: Apple Mac OS X Jaguar/Panther Multiple Vulnerabilities
• CVE-2003-0107: Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.
• MDKSA-2003:033: Updated zlib packages fix buffer overrun vulnerability
• OpenPKG-SA-2003.015: zlib
• OSVDB ID: 6599: zlib gzprintf() Local Overflow
• RHSA-2003-079: Updated zlib packages fix gzprintf buffer overflow vulnerability
• RHSA-2003-081: zlib security update

Platforms Affected:

• Conectiva Linux 6.0
• Conectiva Linux 7.0
• Conectiva Linux 8.0
• Gentoo Linux
• GNU zlib 1.1.4
• Immunix Immunix OS 7+-beta
• MandrakeSoft Mandrake Linux 7.2
• MandrakeSoft Mandrake Linux 8.0
• MandrakeSoft Mandrake Linux 8.0 PPC
• MandrakeSoft Mandrake Linux 8.1
• MandrakeSoft Mandrake Linux 8.1 IA64
• MandrakeSoft Mandrake Linux 8.2 PPC
• MandrakeSoft Mandrake Linux 8.2
• MandrakeSoft Mandrake Linux 9.0
• MandrakeSoft Mandrake Linux Corporate Server 2.1
• MandrakeSoft Mandrake Multi Network Firewall 8.2
• MandrakeSoft Mandrake Single Network Firewall 7.2
• OpenPKG OpenPKG 1.1
• OpenPKG OpenPKG 1.2
• OpenPKG OpenPKG CURRENT
• RedHat Enterprise Linux 2.1 WS
• RedHat Enterprise Linux 2.1 ES
• RedHat Enterprise Linux 2.1 AS
• RedHat Linux 7
• RedHat Linux 7.1
• RedHat Linux 7.2
• RedHat Linux 7.3
• RedHat Linux 8.0
• RedHat Linux Advanced Workstation 2.1 Itanium
• SCO Caldera OpenLinux Server 3.1
• SCO Caldera OpenLinux Server 3.1.1
• SCO Caldera OpenLinux Workstation 3.1
• SCO Caldera OpenLinux Workstation 3.1.1
• SGI IRIX 2.2.1
• SGI IRIX 2.3
• Sun Solaris 8
• Sun Solaris 9
• Turbolinux Turbolinux 7 Server
• Turbolinux Turbolinux 7 Workstation
• Turbolinux Turbolinux 8 Server
• Turbolinux Turbolinux 8 Workstation
• Turbolinux Turbolinux Advanced Server 6
• Turbolinux Turbolinux Server 6.1
• Turbolinux Turbolinux Server 6.5
• Turbolinux Turbolinux Workstation 6.0
• VMware ESX Server 3.0.0
• VMware ESX Server 3.0.1

Reported:

Feb 21, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page