Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <6f0b0b83-5698-4f87-975f-6b4885523850@oracle.com>
Date: Tue, 6 Jan 2026 09:31:08 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: Fwd: [FD] zlib v1.3.1.2 Global Buffer Overflow in
 TGZfname() of zlib untgz Utility via Unbounded strcpy() on User-Supplied
 Archive Name

I didn't see any mention of this in https://github.com/madler/zlib so
I filed https://github.com/madler/zlib/issues/1142 .

Note once again, this is in a utility in the contrib directory, not the main
zlib library itself.  (And 1.3.1.2 is not an actual release, but a git tag being
used for other purposes - see https://github.com/madler/zlib/discussions/1128 .)

	-alan-


-------- Forwarded Message --------
Subject: [FD] zlib v1.3.1.2 Global Buffer Overflow in TGZfname() of zlib untgz 
Utility via Unbounded strcpy() on User-Supplied Archive Name
Date: Mon, 29 Dec 2025 22:43:46 -0500
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org

A global buffer overflow vulnerability exists in the TGZfname() function of
the zlib untgz utility due to the use of an unbounded strcpy() call on
attacker-controlled input. The utility copies a user-supplied archive name
(argv[arg]) into a fixed-size static global buffer of 1024 bytes without
performing any length validation. Supplying an archive name longer than
1024 bytes results in an out-of-bounds write past the end of the global
buffer, leading to memory corruption.
The vulnerable code is reached prior to any archive parsing or validation,
making the flaw trivially reachable through command-line input alone.

*Root Cause*
* arcname is derived directly from argv[]
* No bounds checking is performed before copying into buffer
* buffer is a global static array, not stack-allocated
* Overflow occurs immediately on function entry

*Impact*
An attacker can trigger a global buffer overflow by invoking untgz with a
sufficiently long filename argument.
Potential impacts include:
* Denial of Service (crash)
* Memory corruption of adjacent global objects
* Undefined behavior
* Potential code execution depending on:
     * compiler
     * architecture
     * build flags
     * memory layout
Because the overflow affects global memory, corruption may persist beyond
the scope of the function and influence later program behavior.

*Evidence:*
./untgz_asan $(python3 - <<'EOF'
print("A" * 4096)
EOF)

*ASAN Output:*
=================================================================
==3141495==ERROR: AddressSanitizer: global-buffer-overflow on address
0xaaaab54d8ec0 at pc 0xaaaab4a91bec bp 0xfffffd1e5150 sp 0xfffffd1e4940
WRITE of size 2001 at 0xaaaab54d8ec0 thread T0
     #0 0xaaaab4a91be8 in strcpy
(/root/zlib/contrib/untgz/untgz_asan+0xc1be8) (BuildId:
31ab7d499b8ab40a93265dad8bfb879e63c604ab)
     #1 0xaaaab4aee508 in TGZfname /root/zlib/contrib/untgz/untgz.c:136:3
     #2 0xaaaab4af2fec in main /root/zlib/contrib/untgz/untgz.c:638:20
     #3 0xffffbaa52598 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
     #4 0xffffbaa52678 in __libc_start_main csu/../csu/libc-start.c:360:3
     #5 0xaaaab4a079ac in _start
(/root/zlib/contrib/untgz/untgz_asan+0x379ac) (BuildId:
31ab7d499b8ab40a93265dad8bfb879e63c604ab)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.