From fd366384cf324d750596feb03be44ddf4d1e6acd Mon Sep 17 00:00:00 2001 From: Mark Adler Date: Sat, 3 Jan 2026 01:07:40 -0600 Subject: Prevent the use of insecure functions without an explicit request. ZLIB_INSECURE must be defined in order to compile code that uses the insecure functions vsprintf() or sprintf(). This would occur only if the standard vsnprintf() or snprintf() functions are not available. Providing the --insecure option to ./configure will define ZLIB_INSECURE. A flag is added to zlibCompileFlags() to indicate that gzprintf() is not implemented due to the need for the use of an insecure function, but ZLIB_INSECURE was not defined. --- configure | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'configure') diff --git a/configure b/configure index 1d3d660..872c50a 100755 --- a/configure +++ b/configure @@ -92,6 +92,7 @@ warn=0 debug=0 address=0 memory=0 +insecure=0 unknown=0 old_cc="$CC" old_cflags="$CFLAGS" @@ -118,7 +119,7 @@ case "$1" in -h* | --help) echo 'usage:' | tee -a configure.log echo ' configure [--const] [--zprefix] [--prefix=PREFIX] [--eprefix=EXPREFIX]' | tee -a configure.log - echo ' [--static] [--64] [--libdir=LIBDIR] [--sharedlibdir=LIBDIR]' | tee -a configure.log + echo ' [--insecure] [--static] [--64] [--libdir=LIBDIR] [--sharedlibdir=LIBDIR]' | tee -a configure.log echo ' [--includedir=INCLUDEDIR] [--archs="-arch i386 -arch x86_64"]' | tee -a configure.log exit 0 ;; -p*=* | --prefix=*) prefix=`echo $1 | sed 's/.*=//'`; shift ;; @@ -146,6 +147,7 @@ case "$1" in --sanitize) address=1; shift ;; --address) address=1; shift ;; --memory) memory=1; shift ;; + --insecure) insecure=1; shift ;; *) unknown=1; echo "unknown option ignored: $1" | tee -a configure.log; shift;; esac done @@ -256,6 +258,9 @@ if test "$gcc" -eq 1 && ($cc -c $test.c) >> configure.log 2>&1; then if test $memory -eq 1; then CFLAGS="${CFLAGS} -g -fsanitize=memory -fno-omit-frame-pointer" fi + if test $insecure -eq 1; then + CFLAGS="${CFLAGS} -DZLIB_INSECURE" + fi if test $debug -eq 1; then CFLAGS="${CFLAGS} -DZLIB_DEBUG" SFLAGS="${SFLAGS} -DZLIB_DEBUG" @@ -740,7 +745,10 @@ EOF echo " WARNING: vsnprintf() not found, falling back to vsprintf(). zlib" | tee -a configure.log echo " can build but will be open to possible buffer-overflow security" | tee -a configure.log echo " vulnerabilities." | tee -a configure.log - + if test $insecure -ne 1; then + echo " The --insecure option must be provided to ./configure in order to" | tee -a configure.log + echo " compile using the insecure vsprintf() function." | tee -a configure.log + fi echo >> configure.log cat >$test.c < @@ -824,7 +832,10 @@ EOF echo " WARNING: snprintf() not found, falling back to sprintf(). zlib" | tee -a configure.log echo " can build but will be open to possible buffer-overflow security" | tee -a configure.log echo " vulnerabilities." | tee -a configure.log - + if test $insecure -ne 1; then + echo " The --insecure option must be provided to ./configure in order to" | tee -a configure.log + echo " compile using the insecure sprintf() function." | tee -a configure.log + fi echo >> configure.log cat >$test.c < -- cgit v1.2.3-55-g6feb