On Thu, 2005-07-07 at 10:01 -0400, jef moskot wrote:
> On Thu, 7 Jul 2005, Christopher X. Candreva wrote:
> > www.zlib.net is still showing 1.2.2 from Oct 3 2004 as the latest version.
> > Where is the version that was released yesterday ?
>
> It affects FreeBSD 5.4 and 5.4, so if you have 4.x, you might not have
> noticed. Full details here:
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:16.zlib.asc
The CVE is CAN-2005-2096
the patch is pretty trivial:
--- zlib-1.2.2.2/inftrees.c.can-2005-2096 2005-07-04
10:11:17.654675898 -0600
+++ zlib-1.2.2.2/inftrees.c 2005-07-04 10:12:16.718086123 -0600
@@ -134,7 +134,7 @@
left -= count[len];
if (left < 0) return -1; /* over-subscribed */
}
- if (left > 0 && (type == CODES || (codes - count[0] != 1)))
+ if (left > 0 && (type == CODES || max != 1))
return -1; /* incomplete set */
/* generate offsets into symbol table for each length for sorting
*/
I've seen announcements from Mandriva, RedHat, Gentoo, and Debian thus
far.
But the OP had a zlib library from 1998! That is certainly wrong, and
why I said "desperately".
--
Daniel J McDonald, CCIE # 2495, CNX
Austin Energy
[EMAIL PROTECTED]
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
