-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 AxKit Advisory 2002-03-11 Possible zlib Vulnerability
Author: Matt Sergeant, [EMAIL PROTECTED] Systems Affected: - All AxKit systems running zlib < 1.1.4 Risk: - Low Overview A buffer overflow has been found in the decompression code in versions of the zlib library prior to version 1.1.4 (released on 2002-03-11). This does not compromise the compression features of zlib. For a full description of the zlib vulnerability see the zlib advisory referred to below. This vulnerability could potentially be exploited on AxKit systems to execute arbitrary code on the server. Description AxKit can use the GNOME project's libxml2 library to read XML and libxml2 uses zlib to decompress gzipped XML. If an exploit is found for the zlib vulnerability and, in addition, some way is found to trick AxKit into reading arbitrary gzipped XML files, an exploit of the zlib vulnerability using AxKit is possible. There is no known exploit for the zlib vulnerability at this time, though one may be found. AxKit uses the zlib library directly in a number of places. Most often, zlib is used to automatically compress output when the AxGzipOutput On directive is used. Because this feature only enables compression we do *not* believe it enables an exploit of the zlib vulnerability. Impact Because this vulnerability is associated only with decompressing data and because a further exploit would need to be found to trick AxKit in to decompressing such data and because any exploit found will be restricted to the user Apache is running under (usually the "nobody" user), the risk that an exploit will be engineered for an AxKit enabled server is low. Judging by the nature of the vulnerability, the difficulty of creating an exploit is very high if not impossible. Moreover, the implementation of the malloc() system call might prevent this vulnerability on some systems or on some configurations. However, we advise all AxKit users to upgrade their version of zlib. Solution New versions of zlib should be available from your vendor, an updated version of zlib (1.1.4) is now available for download from the official zlib web site at http://www.gzip.org/zlib/ Acknowledgments Thanks to Barrie Slaymaker and Joerg Walter for their help in writing this advisory. Links: The zlib advisory: http://www.gzip.org/zlib/advisory-2002-03-11.txt This document is available at http://axkit.org/advisory-2002-03-11.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjyNKhYACgkQ2o1H04q650PAoQCeLVFCoRQpSKR9dNnfAZpX1wbx D7sAnjXBhSG6fN/7ybg/LWnxx7HWQcp+ =jSoV -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
