Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
From:	jglong3 AT att DOT net
To:	cygwin AT cygwin DOT com
Subject:	Re: ZLIB
Date:	Wed, 08 Sep 2004 17:01:29 +0000
Message-Id:	<090820041701.20555.413F3AE9000191EB0000504B2160280748CC090201040906@att.net>
X-Authenticated-Sender:	amdsb25nM0BhdHQubmV0
X-IsSubscribed:	yes

Hello Brian,,,  :) :)


OK,,,Thanks for the REPLY! :) :)

I hope I understand what to look for.

And, apologies that I did not provide the link to SecurityTracker.

Thanks for your advise, help, and especially your time!!   :) :)

Jerry 

-------------- Original message from Brian Dessent : -------------- 

> jglong3 AT att DOT net wrote: 
> 
> > The following subject was researched in the CYGWIN Archives. If the answer 
> exists, I apologize if the proper string(s) were not input to find the answer to 
> the following discussion. 
> > 
> > A report by SecurityTracker mentions that there is situation in zlib. 
> > This situation in zlib is reported as relative to the inflate() and 
> > inflateBack(). 
> > The report says the situation varies depending on the application 
> > using the zlib library, but if exploited can result in a denial of 
> services. 
> > 
> > Is there a new zlib to correct for this???? 
> > 
> > If so is the correction in Zlib or the cygwin.dll------ 
> > 
> > What download file or files are required???? 
> > 
> > THANKS for your time, help, and advise!!! :) 
> 
> First of all it would have helped if you'd included some links. The 
> page you are referring to is 
> and the 
> problem was reported in the debian bug report 
> . The OpenPKG 
> report at also contains useful links. 
> 
> The date of that advisory was 30-Aug-2004, and the datestamp on the 
> 1.2.1 Cygwin zlib package is 3-Dec-2003 so no, it does not contain this 
> fix. And, unless I missed it there was no announcement in the last week 
> of a new zlib package, so for the time being there is nothing to 
> download. 
> 
> The fix for this advisory is a trivial patch to fix the error handling, 
> as below from the OpenBSD avisory 
> : 
> 
> diff -u -p -r1.2 -r1.2.2.1 
> --- lib/libz/infback.c 17 Dec 2003 00:28:19 -0000 1.2 
> +++ lib/libz/infback.c 28 Aug 2004 16:21:46 -0000 1.2.2.1 
> @@ -446,6 +446,9 @@ void FAR *out_desc; 
> } 
> } 
> 
> + if (state->mode == BAD) 
> + break; 
> + 
> /* build code tables */ 
> state->next = state->codes; 
> state->lencode = (code const FAR *)(state->next); 
> 
> diff -u -p -r1.6 -r1.6.2.1 
> --- lib/libz/inflate.c 17 Dec 2003 00:28:19 -0000 1.6 
> +++ lib/libz/inflate.c 28 Aug 2004 16:21:46 -0000 1.6.2.1 
> @@ -909,6 +909,9 @@ int flush; 
> state->lens[state->have++] = (unsigned 
> short)len; 
> } 
> } 
> + 
> + if (state->mode == BAD) 
> + break; 
> 
> /* build code tables */ 
> state->next = state->codes; 
> 
> If this is important to you then you should download the zlib src 
> package and apply the above. Hopefully the zlib maintainer will release 
> a fixed package shortly, but with free software there is never any 
> guarantee of anything. 
> 
> Brian 
> 
> -- 
> Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple 
> Problem reports: http://cygwin.com/problems.html 
> Documentation: http://cygwin.com/docs.html 
> FAQ: http://cygwin.com/faq/ 
> 

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/

- Raw text -