The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).

**Debian Bug report logs - #252253  
SIGSEGV in zlib1g 1.2.1.1-3 with pwzip-file**

Reported by: Johan Thelmén <johan.thelmen@cygate.se>

Date: Wed, 2 Jun 2004 11:18:03 UTC

Severity: important

Tags: confirmed, fixed-upstream, patch, upstream

Found in version 1.2.1.1-3

Fixed in version zlib/1:1.2.1.1-6

**Done:** Mark Brown <broonie@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

**Report forwarded** to debian-bugs-dist@lists.debian.org, Mark Brown <broonie@debian.org>:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to Johan Thelmén <johan.thelmen@cygate.se>:  
New Bug report received and forwarded. Copy sent to Mark Brown <broonie@debian.org>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: zlib1g
Version: 1.2.1.1-3
Severity: important

Debian verison 0.70 and also in clamscan / ClamAV version devel-20040602
ii  zlib1g                       1.2.1.1-3

With zlib1g\_1.1.4-1.0woody0\_i386.deb it is working.


inflate\_table (type=LENS, lens=0x8c24c08, codes=281, table=0x8c24c04, bits=0x8c24bec, work=0x8c24e88) at inftrees.c:110
110             count\[lens\[sym\]\]++;
(gdb) bt
#0  inflate\_table (type=LENS, lens=0x8c24c08, codes=281, table=0x8c24c04, bits=0x8c24bec, work=0x8c24e88) at inftrees.c:110
#1  0x4006745b in inflate (strm=0x8054db8, flush=0) at inflate.c:868
#2  0x400273d9 in zzip\_file\_read (fp=0x8054d90, buf=0x0, len=146951176) at zziplib/zzip-file.c:391
#3  0x4002169b in cli\_scanzip (desc=7, virname=0xbffff7a8, scanned=0x80529dc, root=0x805b198, limits=0x8c27338, options=9,
    reclev=0xbffff784) at scanners.c:457
#4  0x40023139 in cli\_magic\_scandesc (desc=7, virname=0xbffff7a8, scanned=0x80529dc, root=0x805b198, limits=0x8c27338, options=9,
    reclev=0xbffff784) at scanners.c:1072
#5  0x40023362 in cl\_scandesc (desc=146951176, virname=0x8c24c08, scanned=0x8c24c08, root=0x8c24c08, limits=0x8c24c08,
    options=146951176) at scanners.c:1136
#6  0x0804dac8 in checkfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x8c24c08, limits=0x8c24c08, options=146951176)
    at manager.c:832
#7  0x0804ca05 in scanfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x805b198, user=0x401f3f58, opt=0x8053008,
    limits=0x8c27338) at manager.c:513
#8  0x0804bdad in scanmanager (opt=0x8053008) at manager.c:307
#9  0x0804ab43 in clamscan (opt=0x8053008) at clamscan.c:147
#10 0x0804b2b8 in main (argc=2, argv=0xbffffb54) at options.c:149

-- 
Johan Thelmén
Cygate Måldata
Sweden Borlänge

**Information forwarded** to debian-bugs-dist@lists.debian.org:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to Mark Brown <broonie@debian.org>:  
Extra info received and forwarded to list. (full text, mbox, link).

Message #10 received at 252253@bugs.debian.org (full text, mbox, reply):

On Wed, Jun 02, 2004 at 01:06:36PM +0200, Johan Thelmén wrote:

> #7  0x0804ca05 in scanfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x805b198, user=0x401f3f58, opt=0x8053008,

Could you please supply one of these files that's causing trouble?

Thanks.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

**Tags added: upstream** Request was from broonie@sirena.org.uk (Mark Brown) to control@bugs.debian.org. (full text, mbox, link).

**Tags added: confirmed** Request was from broonie@sirena.org.uk (Mark Brown) to control@bugs.debian.org. (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to Mark Brown <broonie@debian.org>:  
Extra info received and forwarded to list. (full text, mbox, link).

Message #19 received at 252253@bugs.debian.org (full text, mbox, reply):

tag 252253 + patch pending
thanks

I've got a fix which appears to deal with the problem.

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

**Tags added: patch, pending** Request was from Mark Brown <broonie@debian.org> to control@bugs.debian.org. (full text, mbox, link).

**Tags added: fixed-upstream** Request was from broonie@sirena.org.uk (Mark Brown) to control@bugs.debian.org. (full text, mbox, link).

**Information forwarded** to debian-bugs-dist@lists.debian.org, Mark Brown <broonie@debian.org>:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to linux@internetists.de:  
Extra info received and forwarded to list. Copy sent to Mark Brown <broonie@debian.org>. (full text, mbox, link).

Message #28 received at 252253@bugs.debian.org (full text, mbox, reply):

Good Morning,

according to the following link http://lwn.net/Articles/99288/ the severity 
should be changed or is this bug fixed in zlib1:1.2.1.1-5?

Regards

Chris

**Information forwarded** to debian-bugs-dist@lists.debian.org:  
Bug#252253; Package zlib1g. (full text, mbox, link).

**Acknowledgement sent** to Mark Brown <broonie@debian.org>:  
Extra info received and forwarded to list. (full text, mbox, link).

Message #33 received at 252253@bugs.debian.org (full text, mbox, reply):

On Wed, Aug 25, 2004 at 10:47:57PM +0200, Chris Lehnberger wrote:

> according to the following link http://lwn.net/Articles/99288/ the severity 
> should be changed or is this bug fixed in zlib1:1.2.1.1-5?

Probably, though the release and security teams are already aware.  It
will be fixed in -6. 

-- 
"You grabbed my hand and we fell into it, like a daydream - or a fever."

**Reply sent** to Mark Brown <broonie@debian.org>:  
You have taken responsibility. (full text, mbox, link).

**Notification sent** to Johan Thelmén <johan.thelmen@cygate.se>:  
Bug acknowledged by developer. (full text, mbox, link).

Message #38 received at 252253-close@bugs.debian.org (full text, mbox, reply):

Source: zlib
Source-Version: 1:1.2.1.1-6

We believe that the bug you reported is fixed in the latest version of
zlib, which is due to be installed in the Debian FTP archive:

zlib-bin\_1.2.1.1-6\_i386.deb
  to pool/main/z/zlib/zlib-bin\_1.2.1.1-6\_i386.deb
zlib1g-dev\_1.2.1.1-6\_i386.deb
  to pool/main/z/zlib/zlib1g-dev\_1.2.1.1-6\_i386.deb
zlib1g-udeb\_1.2.1.1-6\_i386.udeb
  to pool/main/z/zlib/zlib1g-udeb\_1.2.1.1-6\_i386.udeb
zlib1g\_1.2.1.1-6\_i386.deb
  to pool/main/z/zlib/zlib1g\_1.2.1.1-6\_i386.deb
zlib\_1.2.1.1-6.diff.gz
  to pool/main/z/zlib/zlib\_1.2.1.1-6.diff.gz
zlib\_1.2.1.1-6.dsc
  to pool/main/z/zlib/zlib\_1.2.1.1-6.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 252253@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Brown <broonie@debian.org> (supplier of updated zlib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 21 Aug 2004 23:30:57 +0100
Source: zlib
Binary: zlib1g-dev zlib1g lib64z1-dev lib64z1 zlib1g-udeb zlib-bin
Architecture: source i386
Version: 1:1.2.1.1-6
Distribution: testing
Urgency: high
Maintainer: Mark Brown <broonie@debian.org>
Changed-By: Mark Brown <broonie@debian.org>
Description: 
 zlib-bin   - compression library - sample programs
 zlib1g     - compression library - runtime
 zlib1g-dev - compression library - development
 zlib1g-udeb - compression library - runtime for Debian installer (udeb)
Closes: 252253
Changes: 
 zlib (1:1.2.1.1-6) testing; urgency=high
 .
   \* Fix the error handling in the new inflate implementation to avoid
     incorrectly continuing to process in the error state.  Thanks to Johan
     Thelmén <johan.thelmen@cygate.se> for his help in finding and fixing this
     bug.  This is CAN-2004-0797 (closes: #252253).
Files: 
 08adcb71b4ed23d9b38fd5912f86c73c 679 libs optional zlib\_1.2.1.1-6.dsc
 4e8989cfce378495761a467b275ec09c 17454 libs optional zlib\_1.2.1.1-6.diff.gz
 e1e08653f9d0d79c9a50a8c6742bb557 38320 debian-installer optional zlib1g-udeb\_1.2.1.1-6\_i386.udeb
 a6d230f3f3969ae7d1895435b4662282 62070 libs required zlib1g\_1.2.1.1-6\_i386.deb
 70872f7645e1a0b5efd308ce3534cec4 409254 libdevel optional zlib1g-dev\_1.2.1.1-6\_i386.deb
 104c1001587d0edaab3b39765ce8f729 25232 utils optional zlib-bin\_1.2.1.1-6\_i386.deb
package-type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBLjsoJ2Vo11xhU60RAjo6AKDj2h5S3sCopTfht9zTAg+7dYTGvQCgiexj
2X8ccdghMn1fyyWoQCNntbk=
=65/v
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org\>. Last modified: Wed Jun 22 17:11:36 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE-2004-0797: #252253 - SIGSEGV in zlib1g 1.2.1.1-3 with pwzip-file

Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.

This security advisory corrects DSA 458-2 which caused a problem in the gethostbyaddr routine.

The original advisory said:

> Sebastian Schmidt discovered a buffer overflow bug in Python's getaddrinfo function, which could allow an IPv6 address, supplied by a remote attacker via DNS, to overwrite memory on the stack.
> 
> This bug only exists in python 2.2 and 2.2.1, and only when IPv6 support is disabled. The python2.2 package in Debian woody meets these conditions (the 'python' package does not).

For the stable distribution (woody), this bug has been fixed in version 2.2.1-4.6.

The testing and unstable distribution (sarge and sid) are not affected by this problem.

We recommend that you update your python2.2 packages.

CVE-2004-0150: Debian -- Security Information -- DSA-458-3 python2.2

os._execvpe from os.py in Python 2.2.1 and earlier creates temporary files with predictable names, which could allow local users to execute arbitrary code via a symlink attack.

Zack Weinberg discovered an insecure use of a temporary file in os.\_execvpe from os.py. It uses a predictable name which could lead execution of arbitrary code.

This problem has been fixed in several versions of Python: For the current stable distribution (woody) it has been fixed in version 1.5.2-23.1 of Python 1.5, in version 2.1.3-3.1 of Python 2.1 and in version 2.2.1-4.1 of Python 2.2. For the old stable distribution (potato) this has been fixed in version 1.5.2-10potato12 for Python 1.5. For the unstable distribution (sid) this has been fixed in version 1.5.2-24 of Python 1.5, in version 2.1.3-6a of Python 2.1 and in version 2.2.1-8 of Python 2.2. Python 2.3 is not affected by this problem.

We recommend that you upgrade your Python packages immediately.

CVE-2002-1119: Debian -- Security Information -- DSA-159-1 python

The libguile.so library file used by gnucash in Debian GNU/Linux is installed with world-writable permissions.

Tag

#debian