oss-sec mailing list archives

I didn't see any mention of this in https://github.com/madler/zlib so
I filed https://github.com/madler/zlib/issues/1142 .

Note once again, this is in a utility in the contrib directory, not the main
zlib library itself.  (And 1.3.1.2 is not an actual release, but a git tag being
used for other purposes - see https://github.com/madler/zlib/discussions/1128 .)

        -alan-


-------- Forwarded Message --------

Date: Mon, 29 Dec 2025 22:43:46 -0500
From: Ron E <ronaldjedgerson () gmail com>
To: fulldisclosure () seclists org

A global buffer overflow vulnerability exists in the TGZfname() function of
the zlib untgz utility due to the use of an unbounded strcpy() call on
attacker-controlled input. The utility copies a user-supplied archive name
(argv[arg]) into a fixed-size static global buffer of 1024 bytes without
performing any length validation. Supplying an archive name longer than
1024 bytes results in an out-of-bounds write past the end of the global
buffer, leading to memory corruption.
The vulnerable code is reached prior to any archive parsing or validation,
making the flaw trivially reachable through command-line input alone.

*Root Cause*
* arcname is derived directly from argv[]
* No bounds checking is performed before copying into buffer
* buffer is a global static array, not stack-allocated
* Overflow occurs immediately on function entry

*Impact*
An attacker can trigger a global buffer overflow by invoking untgz with a
sufficiently long filename argument.
Potential impacts include:
* Denial of Service (crash)
* Memory corruption of adjacent global objects
* Undefined behavior
* Potential code execution depending on:
    * compiler
    * architecture
    * build flags
    * memory layout
Because the overflow affects global memory, corruption may persist beyond
the scope of the function and influence later program behavior.

*Evidence:*
./untgz_asan $(python3 - <<'EOF'
print("A" * 4096)
EOF)

*ASAN Output:*
=================================================================
==3141495==ERROR: AddressSanitizer: global-buffer-overflow on address
0xaaaab54d8ec0 at pc 0xaaaab4a91bec bp 0xfffffd1e5150 sp 0xfffffd1e4940
WRITE of size 2001 at 0xaaaab54d8ec0 thread T0
    #0 0xaaaab4a91be8 in strcpy
(/root/zlib/contrib/untgz/untgz_asan+0xc1be8) (BuildId:
31ab7d499b8ab40a93265dad8bfb879e63c604ab)
    #1 0xaaaab4aee508 in TGZfname /root/zlib/contrib/untgz/untgz.c:136:3
    #2 0xaaaab4af2fec in main /root/zlib/contrib/untgz/untgz.c:638:20
    #3 0xffffbaa52598 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0xffffbaa52678 in __libc_start_main csu/../csu/libc-start.c:360:3
    #5 0xaaaab4a079ac in _start
(/root/zlib/contrib/untgz/untgz_asan+0x379ac) (BuildId:
31ab7d499b8ab40a93265dad8bfb879e63c604ab)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied Archive Name Alan Coopersmith (Jan 06)