Since no one else replied I went ahead and investigated this myself. Current CVS seemed to contain version 1.1.3 of the zlib library.
The page: http://www.gzip.org/zlib/advisory-2002-03-11.txt seems to indicate that version 1.1.3 IS vulnerable. I have gone ahead, and incorporated the 1.1.4 versions of the relevant files in my tree and created a patch. It still compiles on my box, but I have done 0 testing. I'm not even sure where the zlib compression is used in the program. Attached is the relevant patch. I would recommend someone package a new release, and indicate possible security issues with older versions on the web site. Marty Schoch <[EMAIL PROTECTED]> On 3/12/02 3:48 PM, "Marty Schoch" <[EMAIL PROTECTED]> wrote: > > The RedHat Security Advisory RHSA-2002:027-22 mentions updated > freeamp-2.0.8 rpms for various RedHat Powertools distributions due to > staticly linked zlib vulnerabilities. Would someone care to comment on > any implications for the current 2.1 releases and or CVS trees. > > Marty Schoch > <[EMAIL PROTECTED]> > > _______________________________________________ > [EMAIL PROTECTED] > http://www.freeamp.org/mailman/listinfo/freeamp-dev >
zlib.patch
Description: Binary data