CVE-2004-0797: #252253 - SIGSEGV in zlib1g 1.2.1.1-3 with pwzip-file

Debian Bug report logs - #252253
SIGSEGV in zlib1g 1.2.1.1-3 with pwzip-file

Reported by: Johan Thelmén [email protected]

Date: Wed, 2 Jun 2004 11:18:03 UTC

Severity: important

Tags: confirmed, fixed-upstream, patch, upstream

Found in version 1.2.1.1-3

Fixed in version zlib/1:1.2.1.1-6

Done: Mark Brown [email protected]

Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to [email protected], Mark Brown [email protected]:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to Johan Thelmén [email protected]:
New Bug report received and forwarded. Copy sent to Mark Brown [email protected]. (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

Package: zlib1g Version: 1.2.1.1-3 Severity: important

Debian verison 0.70 and also in clamscan / ClamAV version devel-20040602 ii zlib1g 1.2.1.1-3

With zlib1g_1.1.4-1.0woody0_i386.deb it is working.

inflate_table (type=LENS, lens=0x8c24c08, codes=281, table=0x8c24c04, bits=0x8c24bec, work=0x8c24e88) at inftrees.c:110 110 count[lens[sym]]++; (gdb) bt #0 inflate_table (type=LENS, lens=0x8c24c08, codes=281, table=0x8c24c04, bits=0x8c24bec, work=0x8c24e88) at inftrees.c:110 #1 0x4006745b in inflate (strm=0x8054db8, flush=0) at inflate.c:868 #2 0x400273d9 in zzip_file_read (fp=0x8054d90, buf=0x0, len=146951176) at zziplib/zzip-file.c:391 #3 0x4002169b in cli_scanzip (desc=7, virname=0xbffff7a8, scanned=0x80529dc, root=0x805b198, limits=0x8c27338, options=9, reclev=0xbffff784) at scanners.c:457 #4 0x40023139 in cli_magic_scandesc (desc=7, virname=0xbffff7a8, scanned=0x80529dc, root=0x805b198, limits=0x8c27338, options=9, reclev=0xbffff784) at scanners.c:1072 #5 0x40023362 in cl_scandesc (desc=146951176, virname=0x8c24c08, scanned=0x8c24c08, root=0x8c24c08, limits=0x8c24c08, options=146951176) at scanners.c:1136 #6 0x0804dac8 in checkfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x8c24c08, limits=0x8c24c08, options=146951176) at manager.c:832 #7 0x0804ca05 in scanfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x805b198, user=0x401f3f58, opt=0x8053008, limits=0x8c27338) at manager.c:513 #8 0x0804bdad in scanmanager (opt=0x8053008) at manager.c:307 #9 0x0804ab43 in clamscan (opt=0x8053008) at clamscan.c:147 #10 0x0804b2b8 in main (argc=2, argv=0xbffffb54) at options.c:149

– Johan Thelmén Cygate Måldata Sweden Borlänge

Information forwarded to [email protected]:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to Mark Brown [email protected]:
Extra info received and forwarded to list. (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

On Wed, Jun 02, 2004 at 01:06:36PM +0200, Johan Thelmén wrote:

#7 0x0804ca05 in scanfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x805b198, user=0x401f3f58, opt=0x8053008,

Could you please supply one of these files that’s causing trouble?

Thanks.

– “You grabbed my hand and we fell into it, like a daydream - or a fever.”

Tags added: upstream Request was from [email protected] (Mark Brown) to [email protected]. (full text, mbox, link).

Tags added: confirmed Request was from [email protected] (Mark Brown) to [email protected]. (full text, mbox, link).

Information forwarded to [email protected]:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to Mark Brown [email protected]:
Extra info received and forwarded to list. (full text, mbox, link).

Message #19 received at [email protected] (full text, mbox, reply):

tag 252253 + patch pending thanks

I’ve got a fix which appears to deal with the problem.

– “You grabbed my hand and we fell into it, like a daydream - or a fever.”

Tags added: patch, pending Request was from Mark Brown [email protected] to [email protected]. (full text, mbox, link).

Tags added: fixed-upstream Request was from [email protected] (Mark Brown) to [email protected]. (full text, mbox, link).

Information forwarded to [email protected], Mark Brown [email protected]:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to [email protected]:
Extra info received and forwarded to list. Copy sent to Mark Brown [email protected]. (full text, mbox, link).

Message #28 received at [email protected] (full text, mbox, reply):

Good Morning,

according to the following link http://lwn.net/Articles/99288/ the severity should be changed or is this bug fixed in zlib1:1.2.1.1-5?

Regards

Chris

Information forwarded to [email protected]:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to Mark Brown [email protected]:
Extra info received and forwarded to list. (full text, mbox, link).

Message #33 received at [email protected] (full text, mbox, reply):

On Wed, Aug 25, 2004 at 10:47:57PM +0200, Chris Lehnberger wrote:

according to the following link http://lwn.net/Articles/99288/ the severity should be changed or is this bug fixed in zlib1:1.2.1.1-5?

Probably, though the release and security teams are already aware. It will be fixed in -6.

– “You grabbed my hand and we fell into it, like a daydream - or a fever.”

Reply sent to Mark Brown [email protected]:
You have taken responsibility. (full text, mbox, link).

Notification sent to Johan Thelmén [email protected]:
Bug acknowledged by developer. (full text, mbox, link).

Message #38 received at [email protected] (full text, mbox, reply):

Source: zlib Source-Version: 1:1.2.1.1-6

We believe that the bug you reported is fixed in the latest version of zlib, which is due to be installed in the Debian FTP archive:

zlib-bin_1.2.1.1-6_i386.deb to pool/main/z/zlib/zlib-bin_1.2.1.1-6_i386.deb zlib1g-dev_1.2.1.1-6_i386.deb to pool/main/z/zlib/zlib1g-dev_1.2.1.1-6_i386.deb zlib1g-udeb_1.2.1.1-6_i386.udeb to pool/main/z/zlib/zlib1g-udeb_1.2.1.1-6_i386.udeb zlib1g_1.2.1.1-6_i386.deb to pool/main/z/zlib/zlib1g_1.2.1.1-6_i386.deb zlib_1.2.1.1-6.diff.gz to pool/main/z/zlib/zlib_1.2.1.1-6.diff.gz zlib_1.2.1.1-6.dsc to pool/main/z/zlib/zlib_1.2.1.1-6.dsc

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Mark Brown [email protected] (supplier of updated zlib package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Format: 1.7 Date: Sat, 21 Aug 2004 23:30:57 +0100 Source: zlib Binary: zlib1g-dev zlib1g lib64z1-dev lib64z1 zlib1g-udeb zlib-bin Architecture: source i386 Version: 1:1.2.1.1-6 Distribution: testing Urgency: high Maintainer: Mark Brown [email protected] Changed-By: Mark Brown [email protected] Description: zlib-bin - compression library - sample programs zlib1g - compression library - runtime zlib1g-dev - compression library - development zlib1g-udeb - compression library - runtime for Debian installer (udeb) Closes: 252253 Changes: zlib (1:1.2.1.1-6) testing; urgency=high . * Fix the error handling in the new inflate implementation to avoid incorrectly continuing to process in the error state. Thanks to Johan Thelmén [email protected] for his help in finding and fixing this bug. This is CAN-2004-0797 (closes: #252253). Files: 08adcb71b4ed23d9b38fd5912f86c73c 679 libs optional zlib_1.2.1.1-6.dsc 4e8989cfce378495761a467b275ec09c 17454 libs optional zlib_1.2.1.1-6.diff.gz e1e08653f9d0d79c9a50a8c6742bb557 38320 debian-installer optional zlib1g-udeb_1.2.1.1-6_i386.udeb a6d230f3f3969ae7d1895435b4662282 62070 libs required zlib1g_1.2.1.1-6_i386.deb 70872f7645e1a0b5efd308ce3534cec4 409254 libdevel optional zlib1g-dev_1.2.1.1-6_i386.deb 104c1001587d0edaab3b39765ce8f729 25232 utils optional zlib-bin_1.2.1.1-6_i386.deb package-type: udeb

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBLjsoJ2Vo11xhU60RAjo6AKDj2h5S3sCopTfht9zTAg+7dYTGvQCgiexj 2X8ccdghMn1fyyWoQCNntbk= =65/v -----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Wed Jun 22 17:11:36 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.