Описание
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.
A flaw was found in zlib. A global buffer overflow vulnerability exists in the untgz utility, specifically within the TGZfname() function. This flaw allows an attacker to provide an archive name longer than 1024 bytes, leading to an out-of-bounds write. This can result in memory corruption, denial of service, and potentially arbitrary code execution on the affected system.
Отчет
This vulnerability is rated Important rather than Critical because, although it allows a classic global buffer overflow that can compromise the availability of the affected process and potentially impact integrity, it does not meet the criteria for easy, remote, unauthenticated system compromise. The flaw is confined to the untgz command-line utility and is triggered only through attacker-controlled command-line arguments, not through automatic processing of network data or background services. Exploitation therefore generally requires local access or a cooperating application or script that passes untrusted input to untgz, which places it outside the class of wormable or directly remote exploits. While the vulnerability can reliably cause a denial of service and may lead to code execution under specific build and runtime conditions, such outcomes are highly dependent on compiler hardening, memory layout, and execution context, making exploitation less straightforward than required for a Critical rating.
Меры по смягчению последствий
To mitigate this vulnerability, avoid using the untgz utility with untrusted archive names or from untrusted sources. System administrators should ensure that any automated processes or user interactions involving untgz validate the length of archive names to prevent triggering the buffer overflow. If the untgz utility is not essential for system operation, consider restricting its execution permissions or removing the package that provides it, if applicable.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel9 | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-operator-bundle | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-proxy-rhel9 | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch-rhel9-operator | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/fluentd-rhel9 | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Will not fix | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-curator5-rhel9 | Will not fix | ||
| Red Hat build of OpenJDK 11 ELS | java-11-openjdk | Not affected | ||
| Red Hat build of OpenJDK 11 ELS | java-11-openjdk-portable | Not affected | ||
| Red Hat build of OpenJDK 11 ELS | java-21-openjdk-portable | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.6 High
CVSS3
Связанные уязвимости
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.
zlib versions up to and including 1.3.1.2 include a global buffer over ...
zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.
EPSS
8.6 High
CVSS3