Hello Brian,,, :) :)
OK,,,Thanks for the REPLY! :) :) I hope I understand what to look for. And, apologies that I did not provide the link to SecurityTracker. Thanks for your advise, help, and especially your time!! :) :) Jerry -------------- Original message from Brian Dessent : -------------- > [EMAIL PROTECTED] wrote: > > > The following subject was researched in the CYGWIN Archives. If the answer > exists, I apologize if the proper string(s) were not input to find the answer to > the following discussion. > > > > A report by SecurityTracker mentions that there is situation in zlib. > > This situation in zlib is reported as relative to the inflate() and > > inflateBack(). > > The report says the situation varies depending on the application > > using the zlib library, but if exploited can result in a denial of > services. > > > > Is there a new zlib to correct for this???? > > > > If so is the correction in Zlib or the cygwin.dll------ > > > > What download file or files are required???? > > > > THANKS for your time, help, and advise!!! :) > > First of all it would have helped if you'd included some links. The > page you are referring to is > and the > problem was reported in the debian bug report > . The OpenPKG > report at also contains useful links. > > The date of that advisory was 30-Aug-2004, and the datestamp on the > 1.2.1 Cygwin zlib package is 3-Dec-2003 so no, it does not contain this > fix. And, unless I missed it there was no announcement in the last week > of a new zlib package, so for the time being there is nothing to > download. > > The fix for this advisory is a trivial patch to fix the error handling, > as below from the OpenBSD avisory > : > > diff -u -p -r1.2 -r1.2.2.1 > --- lib/libz/infback.c 17 Dec 2003 00:28:19 -0000 1.2 > +++ lib/libz/infback.c 28 Aug 2004 16:21:46 -0000 1.2.2.1 > @@ -446,6 +446,9 @@ void FAR *out_desc; > } > } > > + if (state->mode == BAD) > + break; > + > /* build code tables */ > state->next = state->codes; > state->lencode = (code const FAR *)(state->next); > > diff -u -p -r1.6 -r1.6.2.1 > --- lib/libz/inflate.c 17 Dec 2003 00:28:19 -0000 1.6 > +++ lib/libz/inflate.c 28 Aug 2004 16:21:46 -0000 1.6.2.1 > @@ -909,6 +909,9 @@ int flush; > state->lens[state->have++] = (unsigned > short)len; > } > } > + > + if (state->mode == BAD) > + break; > > /* build code tables */ > state->next = state->codes; > > If this is important to you then you should download the zlib src > package and apply the above. Hopefully the zlib maintainer will release > a fixed package shortly, but with free software there is never any > guarantee of anything. > > Brian > > -- > Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple > Problem reports: http://cygwin.com/problems.html > Documentation: http://cygwin.com/docs.html > FAQ: http://cygwin.com/faq/ > -- Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple Problem reports: http://cygwin.com/problems.html Documentation: http://cygwin.com/docs.html FAQ: http://cygwin.com/faq/
