zlib Buffer Overflow Vulnerability in untgz Utility

A global buffer overflow vulnerability has been identified in zlib versions through 1.3.1.2, specifically within the untgz utility. The issue arises in the TGZfname() function, where an attacker can supply an archive name that is copied into a fixed-size 1024-byte static global buffer. This is done using an unbounded strcpy() call, without any length validation. As a result, an archive name longer than 1024 bytes can cause an out-of-bounds write, leading to memory corruption. This vulnerability can cause a denial-of-service, memory corruption of adjacent global objects, undefined behavior, and potentially code execution, depending on the compiler, architecture, build flags, and memory layout.

Impact

Exploitation of this vulnerability causes a global buffer overflow, which can lead to memory corruption, a program crash, and potentially arbitrary code execution.

Reproduction

The vulnerability can be reproduced by invoking the untgz utility with an excessively long filename argument, exceeding 1024 bytes. This can be done using a command that generates a string of 'A' characters, for example, 4096 'A's, and passes it as an argument to untgz. The AddressSanitizer (ASAN) will report the global buffer overflow error, indicating that the vulnerability has been successfully exploited.