zlib vulnerability reported, many applications affected

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
Hakimoto
Moderator
Moderator
Posts: 2580
Joined: Sun Mar 30, 2003 4:29 am
Location: Nijmegen, Netherlands, Europe
Contact:

zlib vulnerability reported, many applications affected

Unread postby Hakimoto » Sun Jul 10, 2005 6:26 am

The Bandito wrote:In a few years, no doubt, you'll be able to buy a computer,
software and operating system that will match the capabilities
of your current Amiga at about the price you paid for the
Amiga way back when. But you can smile to yourself, knowing
that you were touching the future years before the rest of
the world. And that other computers and operating systems
will do with brute force what the Amiga did years before with
grace, elegance and style.


Eroteme.ch - my end of the internet...

User avatar
dexter1
Moderator
Moderator
Posts: 2735
Joined: Thu Feb 20, 2003 6:57 am
Location: Zoetermeer, The Netherlands

Unread postby dexter1 » Sun Jul 10, 2005 6:29 am

Joerg said that to me yesterday, and i promised him a new neko_zlib package.

Getting on it, right now :)

EDIT: Done. I've put the new package on my mirror and have uploaded it on nekochan's incoming:

zlib 4 cbb24c30bc91caca63dbdf7d8000e9e8 neko_zlib-1.2.2-r1.tardist

The patch is a one-liner in inftrees.c:

Code: Select all

diff -u -p -r1.5 inftrees.c
--- lib/libz/inftrees.c 11 May 2005 03:47:48 -0000      1.5
+++ lib/libz/inftrees.c 2 Jul 2005 19:29:56 -0000
@@ -134,7 +134,7 @@ unsigned short FAR *work;
         left -= count[len];
         if (left < 0) return -1;        /* over-subscribed */
     }
-    if (left > 0 && (type == CODES || (codes - count[0] != 1)))
+    if (left > 0 && (type == CODES || max != 1))
         return -1;                      /* incomplete set */
 
     /* generate offsets into symbol table for each length for sorting */

This is a patch i gleaned from usenet FreeBSD/gentoo traffic, so it is unofficial. Therefore i marked the package 1.2.2-r1 to mimic the gentoo designation.
When the official build/patch is out i will update the package again, so that there will be no misunderstanding about the proper version of zlib.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Sun Jul 10, 2005 11:42 am

Okay I installed the package on the webserver - the forum (and embedded gallery) are set up to send everything zlib compressed to the client browser so it's pretty key here too :) Thanks for quick turnaround!
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

User avatar
Hakimoto
Moderator
Moderator
Posts: 2580
Joined: Sun Mar 30, 2003 4:29 am
Location: Nijmegen, Netherlands, Europe
Contact:

Unread postby Hakimoto » Sun Jul 10, 2005 12:14 pm

Nice work, dex, much appreciated. And once again, we (the nekowarers) are safe(r). Now where's that Windows patch already? ;-) buaergh! irix rules.
The Bandito wrote:In a few years, no doubt, you'll be able to buy a computer,
software and operating system that will match the capabilities
of your current Amiga at about the price you paid for the
Amiga way back when. But you can smile to yourself, knowing
that you were touching the future years before the rest of
the world. And that other computers and operating systems
will do with brute force what the Amiga did years before with
grace, elegance and style.


Eroteme.ch - my end of the internet...

User avatar
zahal
Posts: 837
Joined: Fri May 27, 2005 11:43 am

Unread postby zahal » Wed Aug 03, 2005 7:08 pm

Windows patch you say?
Ahh..you mean Longhorn??


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest