Ancient CVE-2003-0107 shown for current zlib 1.3.1

[exoosh]

Hey folks, I am not yet sure if this is a user issue on our end or a defect so I wanted to bring this up here first and potentially take it to the issue tracker later if this gets confirmed.

The following issue. We have uploaded an SBOM to our local DependencyTrack instance and one of the libraries is zlib. The respective row looks like this (excerpt):

Component	Version	Group	Vulnerability	Severity	Analyzer
zlib	1.3.1		NVD CVE-2003-0107	High	OSS Index

Screenshot:

Now, what strikes me as odd is that this is a vulnerability from 2003, no less than twenty years ago. But the zlib version we use — 1.3.1 — isn't quite that old and supposed to be the most recent released version.

Following the link one even gets to see (emphasis mine):

Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.

What gives?

Is this a defect, e.g. in the way version numbers are getting compared?

Here's the excerpt from the (re-exported) SBOM:

    {
      "author" : "Conan",
      "name" : "zlib",
      "version" : "1.3.1",
      "description" : "A Massively Spiffy Yet Delicately Unobtrusive Compression Library (Also Free, Not to Mention Unencumbered by Patents)",
      "licenses" : [
        {
          "license" : {
            "id" : "Zlib"
          }
        }
      ],
      "purl" : "pkg:conan/[email protected]?rref=f52e03ae3d251dec704634230cd806a2",
      "externalReferences" : [
        {
          "type" : "website",
          "url" : "https://zlib.net"
        }
      ],
      "type" : "library",
      "bom-ref" : "3ceed0b5-28a6-448c-91e8-e7676ae43844"
    },

plus the vulnerability from the (re-exported) SBOM:

    {
      "bom-ref" : "019257d7-f05b-4df5-ac6b-984d1ccc0887",
      "id" : "CVE-2003-0107",
      "source" : {
        "name" : "NVD",
        "url" : "https://nvd.nist.gov/"
      },
      "ratings" : [
        {
          "source" : {
            "name" : "NVD",
            "url" : "https://nvd.nist.gov/"
          },
          "score" : 7.5,
          "severity" : "high",
          "method" : "CVSSv2",
          "vector" : "(AV:N/AC:L/Au:N/C:P/I:P/A:P)"
        }
      ],
      "description" : "Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.",
      "published" : "2003-03-07T05:00:00Z",
      "updated" : "2022-06-22T16:40:00Z",
      "affects" : [
        {
          "ref" : "3ceed0b5-28a6-448c-91e8-e7676ae43844"
        }
      ]
    }

Any insights into what's going on or an assurance that this is merely a defect we encountered would be much appreciated.

Thanks,

Oliver

PS: Debian tracks it as fixed but there is no information from the upstream project that I could find about this being fixed.

[nscuro]

It's reported by OSS Index: https://ossindex.sonatype.org/component/pkg:conan/[email protected]

You can report erroneous advisories with them here: https://ossindex.sonatype.org/doc/report-vulnerability

[exoosh]

I see, so the source used by DependencyTrack is in error here? Thanks.

[exoosh]

madler/zlib@7c2a874#diff-1f4e93872346cab83e266a0cb381567b076744cf936ce05b841b1dad57dbee5fR544-R617 suggests this got addressed

https://github.com/madler/zlib/blob/7c2a874e50b871d04fbd19501f7b42cff55e5abc/gzio.c actual version_with_ the fix in 1.2.0.

[exoosh]

I think the CVE is technically correct, because the description makes it conditional. Technically we still — as of now — this code delegates to gzvprintf which still can be toggled through the NO_vsnprintf define to fall back to vsprintf, tickling out the underlying vulnerability.