|
|
Message-ID: <91f5f502-2d9d-40cd-8518-1f6526030870@geeklan.co.uk> Date: Thu, 19 Feb 2026 00:05:56 +0000 From: Sevan Janiyan <venture37@...klan.co.uk> To: oss-security@...ts.openwall.com Subject: Re: Re: zlib security audit by 7asecurity On 18/02/2026 12:15, Sevan Janiyan wrote: > Dug in a bit further and realised the logic in gzguts.h makes the wrong > assumption about "if C89/90, assume no C99 snprintf() or vsnprintf()" as > these functions have been around for a very long time[1] though > formalised in C99. All versions of OS X include it and you are likely > going to be building with a compiler that only supports C89/90 on the > earlier releases or defaults to it. I did some more digging and found that on OS X 10.6 (from 2009) and prior vsnprintf() is not used because of the discrepancy in gzguts.h, though configure is happy. On OS X 10.7 (from 2011) onwards you're good if you stick to the default compiler which is clang. If you switch to the fallback secondary compiler (llvm-gcc 4.2) then you'll have the same issue as OS X 10.6 and prior, when building on OS X 10.7 & 10.8 (from 2012). Issue goes away in 10.9 (from 2013) since it only includes clang. The patch I submitted[1] in the pull request fixes all versions which had issues (10.2 up to 10.8) that I tested, when running the test suite. While I've investigated the issue on Mac OS X, I suspect the issue applies to legacy versions of derivatives from the same lineage[2] in general which use legacy GCC, if you're still building modern zlib on it. Not sure if that's what was meant by "real-world environment". :) Sincerely, Sevan [1] https://github.com/madler/zlib/pull/1167 [2] https://www.tuhs.org/cgi-bin/utree.pl?file=Net2/usr/src/lib/libc/stdio
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.