xml-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Sergeant <m...@sergeant.org>
Subject [SECURITY] AxKit - Possible zlib Vulnerability
Date Mon, 11 Mar 2002 22:21:07 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AxKit Advisory 2002-03-11
Possible zlib Vulnerability

Author:
  Matt Sergeant, matt@sergeant.org

Systems Affected:
  - All AxKit systems running zlib < 1.1.4

Risk:
  - Low

Overview

  A buffer overflow has been found in the decompression code in versions
  of the zlib library prior to version 1.1.4 (released on 2002-03-11).
  This does not compromise the compression features of zlib.  For a full
  description of the zlib vulnerability see the zlib advisory referred
  to below.  This vulnerability could potentially be exploited on AxKit
  systems to execute arbitrary code on the server.

Description

  AxKit can use the GNOME project's libxml2 library to read XML and
  libxml2 uses zlib to decompress gzipped XML.  If an exploit is found
  for the zlib vulnerability and, in addition, some way is found to trick
  AxKit into reading arbitrary gzipped XML files, an exploit of the zlib
  vulnerability using AxKit is possible.  There is no known exploit for
  the zlib vulnerability at this time, though one may be found.

  AxKit uses the zlib library directly in a number of places. Most
  often, zlib is used to automatically compress output when the
  AxGzipOutput On directive is used.  Because this feature only enables
  compression we do *not* believe it enables an exploit of the zlib
  vulnerability.

Impact

  Because this vulnerability is associated only with decompressing data
  and because a further exploit would need to be found to trick AxKit in
  to decompressing such data and because any exploit found will be
  restricted to the user Apache is running under (usually the "nobody"
  user), the risk that an exploit will be engineered for an AxKit
  enabled server is low.  Judging by the nature of the vulnerability, the
  difficulty of creating an exploit is very high if not impossible.
  Moreover, the implementation of the malloc() system call might prevent
  this vulnerability on some systems or on some configurations.  However,
  we advise all AxKit users to upgrade their version of zlib.

Solution

  New versions of zlib should be available from your vendor, an updated
  version of zlib (1.1.4) is now available for download from the official
  zlib web site at http://www.gzip.org/zlib/

Acknowledgments

  Thanks to Barrie Slaymaker and Joerg Walter for their help in writing
  this advisory.

Links:

  The zlib advisory: http://www.gzip.org/zlib/advisory-2002-03-11.txt

This document is available at http://axkit.org/advisory-2002-03-11.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjyNKhYACgkQ2o1H04q650PAoQCeLVFCoRQpSKR9dNnfAZpX1wbx
D7sAnjXBhSG6fN/7ybg/LWnxx7HWQcp+
=jSoV
-----END PGP SIGNATURE-----



---------------------------------------------------------------------
In case of troubles, e-mail:     webmaster@xml.apache.org
To unsubscribe, e-mail:          general-unsubscribe@xml.apache.org
For additional commands, e-mail: general-help@xml.apache.org


Mime
View raw message