Bug 59087 (CVE-2004-0797)

Summary: VUL-0: CVE-2004-0797: zlib: DoS in zlib 1.2
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: qa-bugs, ro, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0797: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Attachment which was added to the mail
box patchinfo for zlib and zlib-devel
patchinfo for maintained, zlib and zlib-devel
alternative patch

Description Sebastian Krahmer 2004-08-23 17:23:44 UTC 
Date: Mon, 23 Aug 2004 07:31:24 +0200
From: Martin Schulze <joey@infodrom.org>
To: vendor-sec@lst.de
Subject: [vendor-sec] CAN-2004-0797: Denial of service in zlib 1.2
Parts/Attachments:
   1 Shown     14 lines  Text
   2   OK     152 lines  Text
----------------------------------------

Hi,

our zlib1.2 maintainer sent the following message upstream.  This issue is
already public due to http://bugs.debian.org/252253.

This only affects zlib 1.2 - inflate() was rewritten between 1.1
and 1.2).

Regards,
 Joey
Comment 1 Sebastian Krahmer 2004-08-23 17:23:44 UTC 
<!-- SBZ_reproduce  -->
Which products ship zlib 1.2?
Comment 2 Marcus Meissner 2004-08-23 17:29:14 UTC 
9.1 / SLES 9. 
 
9.0 and below use 1.1.4 and less
Comment 3 Sebastian Krahmer 2004-08-23 17:30:14 UTC 
Created attachment 22841 [details]
Attachment which was added to the mail

...
Comment 4 Ruediger Oertel 2004-08-23 21:55:23 UTC 
patch extracted ... package building 
who will write patchinfo files (SLES9/9.1) ?
Comment 5 Sebastian Krahmer 2004-08-24 21:44:23 UTC 
Hold, I will write them.
Comment 6 Sebastian Krahmer 2004-08-24 21:54:38 UTC 
Created attachment 22871 [details]
box patchinfo for zlib and zlib-devel

...
Comment 7 Sebastian Krahmer 2004-08-24 21:55:05 UTC 
Created attachment 22872 [details]
patchinfo for maintained, zlib and zlib-devel

...
Comment 8 Sebastian Krahmer 2004-08-25 16:32:48 UTC 
Date: Wed, 25 Aug 2004 01:23:42 +0400
From: Dmitry V. Levin <ldv@altlinux.org>
To: vendor-sec@lst.de
Cc: Mark Brown <broonie@sirena.org.uk>
Subject: Re: [vendor-sec] CAN-2004-0797: Denial of service in zlib 1.2
Parts/Attachments:
   1.1 Shown    ~28 lines  Text
   1.2   OK     ~27 lines  Text
   2            196 bytes  Application
----------------------------------------

Hi,

On Mon, Aug 23, 2004 at 07:31:24AM +0200, Martin Schulze wrote:
[...]
> The source of the problem appears to be that throughout the inflate()
> function the standard way to handle a detected error is:
> 
>      strm->msg = (char *)"Error message";
>      strm->mode = BSD;
>      break;
> 
> However, while processing the CODELENS state there are a couple of cases
> where an error can be detected inside a while loop so this idiom doesn't
> exit the main processing but instead only exits the while loop.  This
> causes the code to continue into inflate_trees() and potentially crash
> on uninitialised values in the lens array[1].  The fix below replaces
> the break statement with a goto statement that does the right thing.

The fix proposed by Mark Brown does not set proper return value of
inflate() and inflateBack() functions in case of error inside loop.
Either ret variable should be set to Z_DATA_ERROR right before goto
statement, or state->mode should be tested right after loop.

Here is a patch which demonstrates second approach.
Comment 9 Sebastian Krahmer 2004-08-25 16:35:52 UTC 
Created attachment 22894 [details]
alternative patch

Please see last comment.
Comment 10 Ruediger Oertel 2004-08-25 20:47:47 UTC 
packages submitted to 9.1/SLES9 and stable
Comment 11 Sebastian Krahmer 2004-08-27 16:30:32 UTC 
CAN-2004-0797
Comment 12 Thomas Biege 2004-09-02 22:26:56 UTC 
packages approved.. .adv. will be released in a few minutes
Comment 13 Thomas Biege 2009-10-13 19:47:47 UTC 
CVE-2004-0797: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)