CVE-2004-0797: #252253 - SIGSEGV in zlib1g 1.2.1.1-3 with pwzip-file

Debian Bug report logs - #252253
SIGSEGV in zlib1g 1.2.1.1-3 with pwzip-file

Reported by: Johan Thelmén johan.thelmen@cygate.se

Date: Wed, 2 Jun 2004 11:18:03 UTC

Severity: important

Tags: confirmed, fixed-upstream, patch, upstream

Found in version 1.2.1.1-3

Fixed in version zlib/1:1.2.1.1-6

Done: Mark Brown broonie@debian.org

Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to debian-bugs-dist@lists.debian.org, Mark Brown broonie@debian.org:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to Johan Thelmén johan.thelmen@cygate.se:
New Bug report received and forwarded. Copy sent to Mark Brown broonie@debian.org. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: zlib1g Version: 1.2.1.1-3 Severity: important

Debian verison 0.70 and also in clamscan / ClamAV version devel-20040602 ii zlib1g 1.2.1.1-3

With zlib1g_1.1.4-1.0woody0_i386.deb it is working.

inflate_table (type=LENS, lens=0x8c24c08, codes=281, table=0x8c24c04, bits=0x8c24bec, work=0x8c24e88) at inftrees.c:110 110 count[lens[sym]]++; (gdb) bt #0 inflate_table (type=LENS, lens=0x8c24c08, codes=281, table=0x8c24c04, bits=0x8c24bec, work=0x8c24e88) at inftrees.c:110 #1 0x4006745b in inflate (strm=0x8054db8, flush=0) at inflate.c:868 #2 0x400273d9 in zzip_file_read (fp=0x8054d90, buf=0x0, len=146951176) at zziplib/zzip-file.c:391 #3 0x4002169b in cli_scanzip (desc=7, virname=0xbffff7a8, scanned=0x80529dc, root=0x805b198, limits=0x8c27338, options=9, reclev=0xbffff784) at scanners.c:457 #4 0x40023139 in cli_magic_scandesc (desc=7, virname=0xbffff7a8, scanned=0x80529dc, root=0x805b198, limits=0x8c27338, options=9, reclev=0xbffff784) at scanners.c:1072 #5 0x40023362 in cl_scandesc (desc=146951176, virname=0x8c24c08, scanned=0x8c24c08, root=0x8c24c08, limits=0x8c24c08, options=146951176) at scanners.c:1136 #6 0x0804dac8 in checkfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x8c24c08, limits=0x8c24c08, options=146951176) at manager.c:832 #7 0x0804ca05 in scanfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x805b198, user=0x401f3f58, opt=0x8053008, limits=0x8c27338) at manager.c:513 #8 0x0804bdad in scanmanager (opt=0x8053008) at manager.c:307 #9 0x0804ab43 in clamscan (opt=0x8053008) at clamscan.c:147 #10 0x0804b2b8 in main (argc=2, argv=0xbffffb54) at options.c:149

– Johan Thelmén Cygate Måldata Sweden Borlänge

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to Mark Brown broonie@debian.org:
Extra info received and forwarded to list. (full text, mbox, link).

Message #10 received at 252253@bugs.debian.org (full text, mbox, reply):

On Wed, Jun 02, 2004 at 01:06:36PM +0200, Johan Thelmén wrote:

#7 0x0804ca05 in scanfile (filename=0x8054c08 "3556419.4495.BKSO1kjuV", root=0x805b198, user=0x401f3f58, opt=0x8053008,

Could you please supply one of these files that’s causing trouble?

Thanks.

– “You grabbed my hand and we fell into it, like a daydream - or a fever.”

Tags added: upstream Request was from broonie@sirena.org.uk (Mark Brown) to control@bugs.debian.org. (full text, mbox, link).

Tags added: confirmed Request was from broonie@sirena.org.uk (Mark Brown) to control@bugs.debian.org. (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to Mark Brown broonie@debian.org:
Extra info received and forwarded to list. (full text, mbox, link).

Message #19 received at 252253@bugs.debian.org (full text, mbox, reply):

tag 252253 + patch pending thanks

I’ve got a fix which appears to deal with the problem.

– “You grabbed my hand and we fell into it, like a daydream - or a fever.”

Tags added: patch, pending Request was from Mark Brown broonie@debian.org to control@bugs.debian.org. (full text, mbox, link).

Tags added: fixed-upstream Request was from broonie@sirena.org.uk (Mark Brown) to control@bugs.debian.org. (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Mark Brown broonie@debian.org:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to linux@internetists.de:
Extra info received and forwarded to list. Copy sent to Mark Brown broonie@debian.org. (full text, mbox, link).

Message #28 received at 252253@bugs.debian.org (full text, mbox, reply):

Good Morning,

according to the following link http://lwn.net/Articles/99288/ the severity should be changed or is this bug fixed in zlib1:1.2.1.1-5?

Regards

Chris

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#252253; Package zlib1g. (full text, mbox, link).

Acknowledgement sent to Mark Brown broonie@debian.org:
Extra info received and forwarded to list. (full text, mbox, link).

Message #33 received at 252253@bugs.debian.org (full text, mbox, reply):

On Wed, Aug 25, 2004 at 10:47:57PM +0200, Chris Lehnberger wrote:

according to the following link http://lwn.net/Articles/99288/ the severity should be changed or is this bug fixed in zlib1:1.2.1.1-5?

Probably, though the release and security teams are already aware. It will be fixed in -6.

– “You grabbed my hand and we fell into it, like a daydream - or a fever.”

Reply sent to Mark Brown broonie@debian.org:
You have taken responsibility. (full text, mbox, link).

Notification sent to Johan Thelmén johan.thelmen@cygate.se:
Bug acknowledged by developer. (full text, mbox, link).

Message #38 received at 252253-close@bugs.debian.org (full text, mbox, reply):

Source: zlib Source-Version: 1:1.2.1.1-6

We believe that the bug you reported is fixed in the latest version of zlib, which is due to be installed in the Debian FTP archive:

zlib-bin_1.2.1.1-6_i386.deb to pool/main/z/zlib/zlib-bin_1.2.1.1-6_i386.deb zlib1g-dev_1.2.1.1-6_i386.deb to pool/main/z/zlib/zlib1g-dev_1.2.1.1-6_i386.deb zlib1g-udeb_1.2.1.1-6_i386.udeb to pool/main/z/zlib/zlib1g-udeb_1.2.1.1-6_i386.udeb zlib1g_1.2.1.1-6_i386.deb to pool/main/z/zlib/zlib1g_1.2.1.1-6_i386.deb zlib_1.2.1.1-6.diff.gz to pool/main/z/zlib/zlib_1.2.1.1-6.diff.gz zlib_1.2.1.1-6.dsc to pool/main/z/zlib/zlib_1.2.1.1-6.dsc

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 252253@bugs.debian.org, and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Mark Brown broonie@debian.org (supplier of updated zlib package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Format: 1.7 Date: Sat, 21 Aug 2004 23:30:57 +0100 Source: zlib Binary: zlib1g-dev zlib1g lib64z1-dev lib64z1 zlib1g-udeb zlib-bin Architecture: source i386 Version: 1:1.2.1.1-6 Distribution: testing Urgency: high Maintainer: Mark Brown broonie@debian.org Changed-By: Mark Brown broonie@debian.org Description: zlib-bin - compression library - sample programs zlib1g - compression library - runtime zlib1g-dev - compression library - development zlib1g-udeb - compression library - runtime for Debian installer (udeb) Closes: 252253 Changes: zlib (1:1.2.1.1-6) testing; urgency=high . * Fix the error handling in the new inflate implementation to avoid incorrectly continuing to process in the error state. Thanks to Johan Thelmén johan.thelmen@cygate.se for his help in finding and fixing this bug. This is CAN-2004-0797 (closes: #252253). Files: 08adcb71b4ed23d9b38fd5912f86c73c 679 libs optional zlib_1.2.1.1-6.dsc 4e8989cfce378495761a467b275ec09c 17454 libs optional zlib_1.2.1.1-6.diff.gz e1e08653f9d0d79c9a50a8c6742bb557 38320 debian-installer optional zlib1g-udeb_1.2.1.1-6_i386.udeb a6d230f3f3969ae7d1895435b4662282 62070 libs required zlib1g_1.2.1.1-6_i386.deb 70872f7645e1a0b5efd308ce3534cec4 409254 libdevel optional zlib1g-dev_1.2.1.1-6_i386.deb 104c1001587d0edaab3b39765ce8f729 25232 utils optional zlib-bin_1.2.1.1-6_i386.deb package-type: udeb

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBLjsoJ2Vo11xhU60RAjo6AKDj2h5S3sCopTfht9zTAg+7dYTGvQCgiexj 2X8ccdghMn1fyyWoQCNntbk= =65/v -----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 22 17:11:36 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.