Attn: zlib maintainer, security patch (was: ZLIB)
Brian Dessent
brian@dessent.net
Wed Sep 8 23:18:00 GMT 2004
Brian Dessent wrote:
> The date of that advisory was 30-Aug-2004, and the datestamp on the
> 1.2.1 Cygwin zlib package is 3-Dec-2003 so no, it does not contain this
> fix. And, unless I missed it there was no announcement in the last week
> of a new zlib package, so for the time being there is nothing to
> download.
>
> The fix for this advisory is a trivial patch to fix the error handling,
> as below from the OpenBSD avisory
> <ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/017_libz.patch>:
>
> diff -u -p -r1.2 -r1.2.2.1
> --- lib/libz/infback.c 17 Dec 2003 00:28:19 -0000 1.2
> +++ lib/libz/infback.c 28 Aug 2004 16:21:46 -0000 1.2.2.1
> @@ -446,6 +446,9 @@ void FAR *out_desc;
> }
> }
>
> + if (state->mode == BAD)
> + break;
> +
> /* build code tables */
> state->next = state->codes;
> state->lencode = (code const FAR *)(state->next);
>
> diff -u -p -r1.6 -r1.6.2.1
> --- lib/libz/inflate.c 17 Dec 2003 00:28:19 -0000 1.6
> +++ lib/libz/inflate.c 28 Aug 2004 16:21:46 -0000 1.6.2.1
> @@ -909,6 +909,9 @@ int flush;
> state->lens[state->have++] = (unsigned
> short)len;
> }
> }
> +
> + if (state->mode == BAD)
> + break;
>
> /* build code tables */
> state->next = state->codes;
>
> If this is important to you then you should download the zlib src
> package and apply the above. Hopefully the zlib maintainer will release
> a fixed package shortly, but with free software there is never any
> guarantee of anything.
I'm redirecting this to cygwin-apps just in case it did not pass the
zlib maintainer's notice on the main list.
Brian
More information about the Cygwin-apps
mailing list