Re: [Firebird-devel] Security vulnerability in zlib library

2022-03-31 Thread Dimitry Sibiryakov
Alex Peshkoff via Firebird-devel wrote 31.03.2022 16:08:   The crash happen when a stream of definite data is tried to be compressed. IMHO, it is hard (if possible at all) to purposefully construct such stream *from* server to crash or exploit it. How long should it be? Can it be put into

Re: [Firebird-devel] Security vulnerability in zlib library

2022-03-31 Thread Alex Peshkoff via Firebird-devel
On 3/31/22 16:39, Dimitry Sibiryakov wrote: Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:21:   Note that the crash happen on compression so it doesn't affect Firebird security. Did not catch why - we use zlib compression on the wire (since fb3) and in gbak (since fb4). Both cases

Re: [Firebird-devel] Security vulnerability in zlib library

2022-03-31 Thread Mark Rotteveel
On 2022-03-31 15:39, Dimitry Sibiryakov wrote: Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:21:   Note that the crash happen on compression so it doesn't affect Firebird security. Did not catch why - we use zlib compression on the wire (since fb3) and in gbak (since fb4). Both

Re: [Firebird-devel] Security vulnerability in zlib library

2022-03-31 Thread Dimitry Sibiryakov
Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:21:   Note that the crash happen on compression so it doesn't affect Firebird security. Did not catch why - we use zlib compression on the wire (since fb3) and in gbak (since fb4). Both cases are not default but anyway not good. The

Re: [Firebird-devel] Security vulnerability in zlib library

2022-03-31 Thread Alex Peshkoff via Firebird-devel
On 3/31/22 16:13, Dimitry Sibiryakov wrote: Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:05: On 3/31/22 11:11, Mark Rotteveel wrote: A security vulnerability was found in zlib:

Re: [Firebird-devel] Security vulnerability in zlib library

2022-03-31 Thread Dimitry Sibiryakov
Alex Peshkoff via Firebird-devel wrote 31.03.2022 15:05: On 3/31/22 11:11, Mark Rotteveel wrote: A security vulnerability was found in zlib: https://nakedsecurity.sophos.com/2022/03/29/zlib-data-compressor-fixes-17-year-old-security-bug-patch-errr-now/ Will we include an updated version in

Re: [Firebird-devel] Security vulnerability in zlib library

2022-03-31 Thread Alex Peshkoff via Firebird-devel
On 3/31/22 11:11, Mark Rotteveel wrote: A security vulnerability was found in zlib: https://nakedsecurity.sophos.com/2022/03/29/zlib-data-compressor-fixes-17-year-old-security-bug-patch-errr-now/ Will we include an updated version in the next release? On linux that's not our problem - we

[Firebird-devel] Security vulnerability in zlib library

2022-03-31 Thread Mark Rotteveel
A security vulnerability was found in zlib: https://nakedsecurity.sophos.com/2022/03/29/zlib-data-compressor-fixes-17-year-old-security-bug-patch-errr-now/ Will we include an updated version in the next release? Can people just drop in a replacement? Mark Firebird-Devel mailing list, web