Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 162391 - CAN-2005-2096 zlib buffer overflow
Summary: CAN-2005-2096 zlib buffer overflow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: zlib
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard: embargo=20050706,impact=important,sou...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-03 23:20 UTC by Josh Bressers
Modified: 2015-01-08 00:10 UTC (History)
3 users (show)

Fixed In Version: RHSA-2005-569
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-06 14:31:02 UTC


Attachments (Terms of Use)
Proposed patch from upstream for this issue. (deleted)
2005-07-03 23:21 UTC, Josh Bressers
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:569 normal SHIPPED_LIVE Important: zlib security update 2005-07-06 04:00:00 UTC

Description Josh Bressers 2005-07-03 23:20:10 UTC
This is text comes from Mark Adler


The problem was that my previous check for an incomplete code set was  much
too liberal.  It allowed the passage of pathological code  descriptions,
such as a single code of length 10, like what's in  zlib-testcase.gz
(twice).   The deflate spec allows for distance codes  with a single code,
but in that case that single code must have length  1.  The patch below now
permits incomplete codes only if they consist  of a single code of length
1.   Though the spec only mentions distance  codes in this regard, my patch
also allows literal/length codes with a  single code, which would permit a
dynamic block that only defines the  end-of-block code.  This should be
permitted by the spec, and it won't  crash the code, so I'm letting it
through.

The consequence of letting pathological code descriptions through was  that
filling out the decoding table with invalid code markers overran  the
ENOUGH sized array and overwrote some other stuff in memory  (whatever
happened to follow the inflate state).  I thought that I had  prevented
that with a check on how much of ENOUGH was being used by the
literal/length code, and knowing the maximum that could possibly be  used
by a distance code based on an exhaustive search (MAXD).  However  my
exhaustive search only included valid distance code sets, and so
zlib-testcase.gz overran MAXD, after a similar pathological  literal/length
code set had used most of ENOUGH - MAXD.  The patch now  only allows valid
code sets through, which are either exactly complete  code sets or code
sets that consist of a single code of length 1.

Comment 1 Josh Bressers 2005-07-03 23:21:27 UTC
Created attachment 116314 [details]
Proposed patch from upstream for this issue.

Comment 7 Red Hat Bugzilla 2005-07-06 14:31:02 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-569.html


Comment 8 Josh Bressers 2005-07-06 14:32:45 UTC
Lifting embargo


Note You need to log in before you can comment on or make changes to this bug.