tech-security: Re: NetBSD Security Advisory 2003-004: Format string vulnerability in zlib gzprintf()

Subject: Re: NetBSD Security Advisory 2003-004: Format string vulnerability in zlib gzprintf()
To: Paul Hoffman <phoffman@proper.com>
From: David Maxwell <david@vex.net>
List: tech-security
Date: 03/26/2003 21:39:11

On Wed, Mar 26, 2003 at 02:58:37PM -0800, Paul Hoffman wrote:
> At 1:54 PM -0500 3/26/03, NetBSD Security Officer wrote:
> >* NetBSD 1.6:
> >. . .
> >
> >	Alternatively, apply the following patch (with potential offset
> >	differences):
> >
> >	ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-004-zlib-1.6.patch
> 
> That works.
> 
> >
> >	To patch, re-build and re-install zlib:
> >
> >		# cd src/lib/libz
> >		# patch < /path/to/SA2003-004-zlib-1.6.patch
> 
> That doesn't. The patch wants gzio.c, but it doesn't exist in the directory:
> . . .
> -rw-r--r--   1 root  wheel  16110 Mar 11  2002 example.c
> -rw-r--r--   1 root  wheel   2186 Oct 26  1999 gzio_compat.c
> -rw-r--r--   1 root  wheel  12502 Mar 11  2002 infblock.c
> . . .

That's very odd. How did you get that particular set of sources? I'd be
curious, since your set seems incomplete.

gzio.c was included in the src at the time of the 1.6 release (in fact,
it has been in the same place since before NetBSD 1.3...) and was at
revision 1.12 at the time of the 1.6 release.

You can see the same here:

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libz/gzio.c

One simple method - use this link:

http://cvsweb.netbsd.org/bsdweb.cgi/~checkout~/src/lib/libz/gzio.c?rev=1.12.2.1&content-type=text/plain

That will download the gzio.c file, including the patch (you can see from
the patch header that it turns 1.12 into 1.12.2.1 - the link above will
give you a complete 1.12.2.1

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
(About an Amiga rendering landscapes) It's not thinking, it's being artistic!
					      - Jamie Woods