Bug#532736: CVE-2009-1391: Buffer overflow in Compress::Raw::Zlib
Niko Tyni
ntyni at debian.org
Thu Jun 11 09:42:12 UTC 2009
On Thu, Jun 11, 2009 at 10:00:08AM +0200, Stefan Fritsch wrote:
> Package: perl
> Version: 5.10.0-19
> Severity: grave
> Tags: security
> Justification: user security hole
>
> A security vulnverability was found in Compress::Raw::Zlib:
>
> Compress::Raw::Zlib versions before 2.017 contain a buffer overflow in
> inflate(). A badly formed zlib-stream can trigger this buffer overflow and cause
> the perl process at least to hang or to crash.
>
> This causes a remote DoS in amavisd-new.
>
> The perl package in lenny and sid contains Compress::Raw::Zlib 2.008.
> There is also a separate package libcompress-raw-zlib-perl
>
> More information can be found at
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1391
Thanks.
My preliminary understanding is that the minimal fix could be just this hunk:
--- Compress-Raw-Zlib-2.015/Zlib.xs 2008-09-03 22:42:10.000000000 +0100
+++ Compress-Raw-Zlib-2.017/Zlib.xs 2009-04-04 13:09:59.000000000 +0100
@@ -1322,7 +1322,7 @@ inflate (s, buf, output, eof=FALSE)
while (RETVAL == Z_OK) {
if (s->stream.avail_out == 0 ) {
/* out of space in the output buffer so make it bigger */
- Sv_Grow(output, SvLEN(output) + bufinc) ;
+ Sv_Grow(output, SvLEN(output) + bufinc +1) ;
cur_length += increment ;
s->stream.next_out = (Bytef*) SvPVbyte_nolen(output) + cur_length ;
increment = bufinc ;
but I'm not quite sure if we also need the "Only setup the stream output
pointers if there is spare capacity in the outout SV" part in
http://search.cpan.org/diff?from=Compress-Raw-Zlib-2.015&to=Compress-Raw-Zlib-2.017#Zlib.xs
This needs further investigation. Help would be welcome.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list