This is the mail archive of the
cygwin-apps@cygwin.com
mailing list for the Cygwin project.
Attn: zlib maintainer, security patch (was: ZLIB)
- From: Brian Dessent <brian at dessent dot net>
- To: cygwin-apps at cygwin dot com
- Date: Wed, 08 Sep 2004 16:22:38 -0700
- Subject: Attn: zlib maintainer, security patch (was: ZLIB)
- Organization: My own little world...
- References: <090720041829.5116.413DFDF100033E40000013FC2160280748CC090201040906@att.net> <413EAE87.4B27954A@dessent.net>
- Reply-to: cygwin-apps at cygwin dot com
Brian Dessent wrote:
> The date of that advisory was 30-Aug-2004, and the datestamp on the
> 1.2.1 Cygwin zlib package is 3-Dec-2003 so no, it does not contain this
> fix. And, unless I missed it there was no announcement in the last week
> of a new zlib package, so for the time being there is nothing to
> download.
>
> The fix for this advisory is a trivial patch to fix the error handling,
> as below from the OpenBSD avisory
> <ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/017_libz.patch>:
>
> diff -u -p -r1.2 -r1.2.2.1
> --- lib/libz/infback.c 17 Dec 2003 00:28:19 -0000 1.2
> +++ lib/libz/infback.c 28 Aug 2004 16:21:46 -0000 1.2.2.1
> @@ -446,6 +446,9 @@ void FAR *out_desc;
> }
> }
>
> + if (state->mode == BAD)
> + break;
> +
> /* build code tables */
> state->next = state->codes;
> state->lencode = (code const FAR *)(state->next);
>
> diff -u -p -r1.6 -r1.6.2.1
> --- lib/libz/inflate.c 17 Dec 2003 00:28:19 -0000 1.6
> +++ lib/libz/inflate.c 28 Aug 2004 16:21:46 -0000 1.6.2.1
> @@ -909,6 +909,9 @@ int flush;
> state->lens[state->have++] = (unsigned
> short)len;
> }
> }
> +
> + if (state->mode == BAD)
> + break;
>
> /* build code tables */
> state->next = state->codes;
>
> If this is important to you then you should download the zlib src
> package and apply the above. Hopefully the zlib maintainer will release
> a fixed package shortly, but with free software there is never any
> guarantee of anything.
I'm redirecting this to cygwin-apps just in case it did not pass the
zlib maintainer's notice on the main list.
Brian