This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: ZLIB


Hello Brian,,,  :) :)


OK,,,Thanks for the REPLY! :) :)

I hope I understand what to look for.

And, apologies that I did not provide the link to SecurityTracker.

Thanks for your advise, help, and especially your time!!   :) :)

Jerry 

-------------- Original message from Brian Dessent : -------------- 

> jglong3@att.net wrote: 
> 
> > The following subject was researched in the CYGWIN Archives. If the answer 
> exists, I apologize if the proper string(s) were not input to find the answer to 
> the following discussion. 
> > 
> > A report by SecurityTracker mentions that there is situation in zlib. 
> > This situation in zlib is reported as relative to the inflate() and 
> > inflateBack(). 
> > The report says the situation varies depending on the application 
> > using the zlib library, but if exploited can result in a denial of 
> services. 
> > 
> > Is there a new zlib to correct for this???? 
> > 
> > If so is the correction in Zlib or the cygwin.dll------ 
> > 
> > What download file or files are required???? 
> > 
> > THANKS for your time, help, and advise!!! :) 
> 
> First of all it would have helped if you'd included some links. The 
> page you are referring to is 
> and the 
> problem was reported in the debian bug report 
> . The OpenPKG 
> report at also contains useful links. 
> 
> The date of that advisory was 30-Aug-2004, and the datestamp on the 
> 1.2.1 Cygwin zlib package is 3-Dec-2003 so no, it does not contain this 
> fix. And, unless I missed it there was no announcement in the last week 
> of a new zlib package, so for the time being there is nothing to 
> download. 
> 
> The fix for this advisory is a trivial patch to fix the error handling, 
> as below from the OpenBSD avisory 
> : 
> 
> diff -u -p -r1.2 -r1.2.2.1 
> --- lib/libz/infback.c 17 Dec 2003 00:28:19 -0000 1.2 
> +++ lib/libz/infback.c 28 Aug 2004 16:21:46 -0000 1.2.2.1 
> @@ -446,6 +446,9 @@ void FAR *out_desc; 
> } 
> } 
> 
> + if (state->mode == BAD) 
> + break; 
> + 
> /* build code tables */ 
> state->next = state->codes; 
> state->lencode = (code const FAR *)(state->next); 
> 
> diff -u -p -r1.6 -r1.6.2.1 
> --- lib/libz/inflate.c 17 Dec 2003 00:28:19 -0000 1.6 
> +++ lib/libz/inflate.c 28 Aug 2004 16:21:46 -0000 1.6.2.1 
> @@ -909,6 +909,9 @@ int flush; 
> state->lens[state->have++] = (unsigned 
> short)len; 
> } 
> } 
> + 
> + if (state->mode == BAD) 
> + break; 
> 
> /* build code tables */ 
> state->next = state->codes; 
> 
> If this is important to you then you should download the zlib src 
> package and apply the above. Hopefully the zlib maintainer will release 
> a fixed package shortly, but with free software there is never any 
> guarantee of anything. 
> 
> Brian 
> 
> -- 
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple 
> Problem reports: http://cygwin.com/problems.html 
> Documentation: http://cygwin.com/docs.html 
> FAQ: http://cygwin.com/faq/ 
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]