Re: [Firebird-devel] Security vulnerability in zlib library

2022-04-01 Thread Vlad Khorsun 

31.03.2022 11:11, Mark Rotteveel wrote:
A security vulnerability was found in zlib: 
https://nakedsecurity.sophos.com/2022/03/29/zlib-data-compressor-fixes-17-year-old-security-bug-patch-errr-now/


Will we include an updated version in the next release?


  I'll take care about Windows builds

Regards,
Vlad


Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel

Re: [Firebird-devel] Security vulnerability in zlib library

2022-04-01 Thread Alex Peshkoff via Firebird-devel 

On 4/1/22 01:30, Dimitry Sibiryakov wrote:

Alex Peshkoff via Firebird-devel wrote 31.03.2022 16:08:
  The crash happen when a stream of definite data is tried to be 
compressed. IMHO, it is hard (if possible at all) to purposefully 
construct such stream *from* server to crash or exploit it.




How long should it be? Can it be put into blob?


  Yes, but according to the bug description it also requires usage of 
Z_FIXED option which Firebird doesn't.




Have a look at this - bug is already reproduced with default strategy:
https://seclists.org/oss-sec/2022/q1/201

Luckily other parameters (like memlevel) are not default and such values 
of them are not used by firebird but you see: the range of conditions 
where bug can be reproduced spreads. I.e. it's definitely better to upgrade.





Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel