Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 14 Mar 2003 18:03:24 -0800
From:      David Schultz <das@FreeBSD.ORG>
To:        Eivind Eklund <eivind@FreeBSD.ORG>
Cc:        Jean-Marc Zucconi <jmz@FreeBSD.ORG>, src-committers@FreeBSD.ORG, cvs-src@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject:   Re: cvs commit: src/lib/libz gzio.c
Message-ID:  <20030315020324.GA24565@HAL9000.homeunix.com>
In-Reply-To: <20030314044434.B42430@FreeBSD.org>
References:  <200303140147.h2E1l11r023091@repoman.freebsd.org> <20030314044434.B42430@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Eivind Eklund <eivind@FreeBSD.org>:
> On Thu, Mar 13, 2003 at 05:47:01PM -0800, Jean-Marc Zucconi wrote:
> > jmz         2003/03/13 17:47:01 PST
> > 
> >   FreeBSD src repository
> > 
> >   Modified files:
> >     lib/libz             gzio.c 
> >   Log:
> >   In src/lib/libz/gzio.c the function gzprintf does not check if the
> >   amount of bytes (supposed to be) written by vsnprintf exceeds the
> >   size of the buffer.
> >   
> >   PR:             bin/48844
> >   Submitted by:   Peter A Jonsson <pj@ludd.luth.se>
> >   Obtained from:  OpenBSD
> >   MFC after:      1 month
> 
> Are we sure this does not have security implications and should be merged
> ASAP?  It sounds like a security fix, and one I'd like to have in 4.8 - if
> gunzipping files can be exploited, it could turn nasty.

Probably not.  The bug doesn't cause a buffer overflow; it just
causes gzprintf() to truncate its output for large strings and
return success instead of returning failure as it should.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030315020324.GA24565>