Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <91f5f502-2d9d-40cd-8518-1f6526030870@geeklan.co.uk>
Date: Thu, 19 Feb 2026 00:05:56 +0000
From: Sevan Janiyan <venture37@...klan.co.uk>
To: oss-security@...ts.openwall.com
Subject: Re: Re: zlib security audit by 7asecurity

On 18/02/2026 12:15, Sevan Janiyan wrote:
> Dug in a bit further and realised the logic in gzguts.h makes the wrong 
> assumption about "if C89/90, assume no C99 snprintf() or vsnprintf()" as 
> these functions have been around for a very long time[1] though 
> formalised in C99. All versions of OS X include it and you are likely 
> going to be building with a compiler that only supports C89/90 on the 
> earlier releases or defaults to it.

I did some more digging and found that on OS X 10.6 (from 2009) and 
prior vsnprintf() is not used because of the discrepancy in gzguts.h, 
though configure is happy.
On OS X 10.7 (from 2011) onwards you're good if you stick to the default 
compiler which is clang.
If you switch to the fallback secondary compiler (llvm-gcc 4.2) then 
you'll have the same issue as OS X 10.6 and prior, when building on OS X 
10.7 & 10.8 (from 2012).
Issue goes away in 10.9 (from 2013) since it only includes clang.
The patch I submitted[1] in the pull request fixes all versions which 
had issues (10.2 up to 10.8) that I tested, when running the test suite.

While I've investigated the issue on Mac OS X, I suspect the issue 
applies to legacy versions of derivatives from the same lineage[2] in 
general which use legacy GCC, if you're still building modern zlib on it.

Not sure if that's what was meant by "real-world environment". :)

Sincerely,


Sevan
[1] https://github.com/madler/zlib/pull/1167
[2] https://www.tuhs.org/cgi-bin/utree.pl?file=Net2/usr/src/lib/libc/stdio

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.