Bruce Dubbs wrote:
Additionally, you may want to consider releasing LFS 6.1.1 due to a
zlib vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
http://www.debian.org/security/2005/dsa-740
The fix appears to be:
+--- zlib-1.2.2.orig/inftrees.c 2004-09-15 15:30:06.000000000 +0100
++++ zlib-1.2.2/inftrees.c 2005-07-02 14:42:24.270321629 +0100
+@@ -134,7 +134,7 @@
+ left -= count[len];
+ if (left < 0) return -1; /* over-subscribed */
+ }
+- if (left > 0 && (type == CODES || (codes - count[0] != 1)))
++ if (left > 0 && (type == CODES || max != 1))
+ return -1; /* incomplete set */
+
+ /* generate offsets into symbol table for each length for sorting */
Which LFS should probably do with a sed:
sed -i 's/(codes - count[0])/max/' inftrees.c
Alternatively, I suspect there will be a zlib 1.2.3 in the next day or two.
-- Bruce
This patch is already included with LFS 6.1.
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
