Bug#532736: CVE-2009-1391: Buffer overflow in Compress::Raw::Zlib

Niko Tyni ntyni at debian.org
Sat Jun 13 19:43:55 UTC 2009 

On Fri, Jun 12, 2009 at 11:16:54PM +0300, Niko Tyni wrote:

> > > > Compress::Raw::Zlib versions before 2.017 contain a buffer overflow in
> > > > inflate(). A badly formed zlib-stream can trigger this buffer overflow and cause
> > > > the perl process at least to hang or to crash.
> > 
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1391
 
> Just uploaded perl/5.10.0-23 with the minimal fix and urgency=high.
 
libcompress-raw-zlib-perl 2.015-2 with the fix is now in incoming as well.

Security team: I'm attaching proposed debdiffs for stable updates.
Do you agree that this fix is sufficient? Shall I go ahead and upload?

Cheers,
-- 
Niko Tyni   ntyni at debian.org
-------------- next part --------------
diff -u perl-5.10.0/patches-applied perl-5.10.0/patches-applied
--- perl-5.10.0/patches-applied
+++ perl-5.10.0/patches-applied
@@ -38,6 +38,7 @@
 debian/patches/37_fix_coredump_indicator
 debian/patches/38_fix_weaken_memleak
 debian/patches/39_fix_archive_tar_symlink_unpack
+debian/patches/40_compress_raw_zlib_cve_2009_1391
 debian/patches/50_debian_use_gdbm
 debian/patches/51_debian_ld_run_path
 debian/patches/52_debian_extutils_hacks
diff -u perl-5.10.0/debian/changelog perl-5.10.0/debian/changelog
--- perl-5.10.0/debian/changelog
+++ perl-5.10.0/debian/changelog
@@ -1,3 +1,10 @@
+perl (5.10.0-19lenny1) stable-security; urgency=high
+
+  * [SECURITY] CVE-2009-1391: Fix a buffer overflow in Compress::Raw::Zlib.
+    (Closes: #532736)
+
+ -- Niko Tyni <ntyni at debian.org>  Fri, 12 Jun 2009 23:22:04 +0300
+
 perl (5.10.0-19) unstable; urgency=low
 
   * Downgrade the perl-doc recommendation to a suggestion.
only in patch2:
unchanged:
--- perl-5.10.0.orig/ext/Compress/Raw/Zlib/Zlib.xs
+++ perl-5.10.0/ext/Compress/Raw/Zlib/Zlib.xs
@@ -1295,7 +1295,7 @@
 
         if (s->stream.avail_out == 0 ) {
 	    /* out of space in the output buffer so make it bigger */
-            Sv_Grow(output, SvLEN(output) + bufinc) ;
+            Sv_Grow(output, SvLEN(output) + bufinc +1) ;
             cur_length += increment ;
             s->stream.next_out = (Bytef*) SvPVbyte_nolen(output) + cur_length ;
             increment = bufinc ;
only in patch2:
unchanged:
--- perl-5.10.0.orig/debian/patches/40_compress_raw_zlib_cve_2009_1391
+++ perl-5.10.0/debian/patches/40_compress_raw_zlib_cve_2009_1391
@@ -0,0 +1,27 @@
+From: Niko Tyni <ntyni at debian.org>
+Subject: [PATCH] [CVE-2009-1391] Buffer overflow in Compress::Raw::Zlib
+Closes: 532736
+
+Fix cherry-picked from upstream 2.017.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1391
+
+---
+ ext/Compress/Raw/Zlib/Zlib.xs |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/ext/Compress/Raw/Zlib/Zlib.xs b/ext/Compress/Raw/Zlib/Zlib.xs
+index b100f4c..a80c581 100644
+--- a/ext/Compress/Raw/Zlib/Zlib.xs
++++ b/ext/Compress/Raw/Zlib/Zlib.xs
+@@ -1295,7 +1295,7 @@ inflate (s, buf, output, eof=FALSE)
+ 
+         if (s->stream.avail_out == 0 ) {
+ 	    /* out of space in the output buffer so make it bigger */
+-            Sv_Grow(output, SvLEN(output) + bufinc) ;
++            Sv_Grow(output, SvLEN(output) + bufinc +1) ;
+             cur_length += increment ;
+             s->stream.next_out = (Bytef*) SvPVbyte_nolen(output) + cur_length ;
+             increment = bufinc ;
+-- 
+tg: (71b2123..) fixes/compress-raw-zlib-cve-2009-1391 (depends on: upstream)
-------------- next part --------------
diff -u libcompress-raw-zlib-perl-2.012/debian/changelog libcompress-raw-zlib-perl-2.012/debian/changelog
--- libcompress-raw-zlib-perl-2.012/debian/changelog
+++ libcompress-raw-zlib-perl-2.012/debian/changelog
@@ -1,3 +1,10 @@
+libcompress-raw-zlib-perl (2.012-1lenny1) stable-security; urgency=high
+
+  * [SECURITY] CVE-2009-1391: Fix a buffer overflow in inflate().
+    (Closes: #532738)
+
+ -- Niko Tyni <ntyni at debian.org>  Sat, 13 Jun 2009 22:19:41 +0300
+
 libcompress-raw-zlib-perl (2.012-1) unstable; urgency=low
 
   * New upstream release
diff -u libcompress-raw-zlib-perl-2.012/debian/patches/series libcompress-raw-zlib-perl-2.012/debian/patches/series
--- libcompress-raw-zlib-perl-2.012/debian/patches/series
+++ libcompress-raw-zlib-perl-2.012/debian/patches/series
@@ -1 +1,2 @@
+CVE-2009-1391
 use-debian-zlib.patch
only in patch2:
unchanged:
--- libcompress-raw-zlib-perl-2.012.orig/debian/patches/CVE-2009-1391
+++ libcompress-raw-zlib-perl-2.012/debian/patches/CVE-2009-1391
@@ -0,0 +1,18 @@
+[SECURITY] CVE-2009-1391: Fix a buffer overflow in inflate().
+
+Closes: #532738
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1391
+
+Fix cherry-picked from upstream version 2.017.
+--- libcompress-raw-zlib-perl-2.012.orig/Zlib.xs
++++ libcompress-raw-zlib-perl-2.012/Zlib.xs
+@@ -1319,7 +1319,7 @@
+     while (RETVAL == Z_OK) {
+         if (s->stream.avail_out == 0 ) {
+ 	    /* out of space in the output buffer so make it bigger */
+-            Sv_Grow(output, SvLEN(output) + bufinc) ;
++            Sv_Grow(output, SvLEN(output) + bufinc +1) ;
+             cur_length += increment ;
+             s->stream.next_out = (Bytef*) SvPVbyte_nolen(output) + cur_length ;
+             increment = bufinc ;

More information about the Perl-maintainers mailing list