On Wed, 5 Feb 2025, Fay Stegerman wrote:
libcurl featured code that at run-time takes a different code path for zlib
versions before 1.0.2.4 because of lack of functionality in those old
versions, and this rarely used piece of code contained the vulnerable code
path.
I assume this last version should have been 1.2.0.4 as before and not
1.0.2.4?
Correct, this has been fixed already in the document version we host.
Which, whilst I doubt we'll see such a zlib version any time soon if ever
(though zlib-ng compat might get there a lot faster), would give an
incorrect result for e.g. version "1.10.0.0".
Thanks for pointing this out. I have proposed fix pending:
https://github.com/curl/curl/pull/16202
--
/ daniel.haxx.se
