Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Message-ID:	<413EAE87.4B27954A@dessent.net>
Date:	Wed, 08 Sep 2004 00:02:31 -0700
From:	Brian Dessent <brian AT dessent DOT net>
Organization:	My own little world...
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Re: ZLIB
References:	<090720041829 DOT 5116 DOT 413DFDF100033E40000013FC2160280748CC090201040906 AT att DOT net>
X-IsSubscribed:	yes
Reply-To:	cygwin AT cygwin DOT com

jglong3 AT att DOT net wrote:

> The following subject was researched in the CYGWIN Archives. If the answer exists, I apologize if the proper string(s) were not input to find the answer to the following discussion.
> 
>     A report by SecurityTracker mentions that there is situation in zlib.
>     This situation in zlib is reported as relative to the inflate() and
>     inflateBack().
>     The report says the situation varies depending on the application
>     using the zlib library, but if exploited can result in a denial of services.
> 
> Is there a new zlib to correct for this????
> 
> If so is the correction in Zlib or the cygwin.dll------
> 
> What download file or files are required????
> 
> THANKS for your time, help, and advise!!! :)

First of all it would have helped if you'd included some links.  The
page you are referring to is
<http://www.securitytracker.com/alerts/2004/Aug/1011085.html> and the
problem was reported in the debian bug report
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253>.  The OpenPKG
report at <http://lwn.net/Articles/99288/> also contains useful links.

The date of that advisory was 30-Aug-2004, and the datestamp on the
1.2.1 Cygwin zlib package is 3-Dec-2003 so no, it does not contain this
fix.  And, unless I missed it there was no announcement in the last week
of a new zlib package, so for the time being there is nothing to
download.

The fix for this advisory is a trivial patch to fix the error handling,
as below from the OpenBSD avisory
<ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/017_libz.patch>:

diff -u -p -r1.2 -r1.2.2.1
--- lib/libz/infback.c  17 Dec 2003 00:28:19 -0000      1.2
+++ lib/libz/infback.c  28 Aug 2004 16:21:46 -0000      1.2.2.1
@@ -446,6 +446,9 @@ void FAR *out_desc;
                 }
             }
 
+            if (state->mode == BAD)
+                break;
+
             /* build code tables */
             state->next = state->codes;
             state->lencode = (code const FAR *)(state->next);

diff -u -p -r1.6 -r1.6.2.1
--- lib/libz/inflate.c  17 Dec 2003 00:28:19 -0000      1.6
+++ lib/libz/inflate.c  28 Aug 2004 16:21:46 -0000      1.6.2.1
@@ -909,6 +909,9 @@ int flush;
                         state->lens[state->have++] = (unsigned
short)len;
                 }
             }
+
+            if (state->mode == BAD)
+                break;
 
             /* build code tables */
             state->next = state->codes;

If this is important to you then you should download the zlib src
package and apply the above.  Hopefully the zlib maintainer will release
a fixed package shortly, but with free software there is never any
guarantee of anything.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -