Fwd: buffer overrun in zlib 1.1.4

Kelledin kelledin+LFS at skarpsey.dyndns.org
Sun Apr 27 04:56:11 PDT 2003


On Saturday 26 April 2003 08:07 pm, Gerard Beekmans wrote:
> On February 23, 2003 06:24 pm, Kelledin wrote:
>
> It's been a while since this issue was brought up. Has anybody
> continued testing this behind the scenes? Does your
> recommendation of adding this patch still stand?

Yup, my recommendation still stands.

The patch made it into OpenPKG, Sorcerer, and a few other distros 
as well, after I posted it on bugtraq at .  It also passes all 
zlib's build-time tests and defeats the one proof-of-concept 
code snippet I've seen for the exploit.

OpenPKG also contributed some minor configure check fixes to the 
patch; these fixes don't really affect us, but it's only proper 
to use a fully correct patch all the same.

The final-revision patch is here:

http://skarpsey.dyndns.org/zlib-1.1.4-final-vsnprintf.patch

Once the patch is applied, the book can continue using the same 
instructions it's been using.  zlib ./configure should 
automatically test vsprintf/vsnprintf and echo the results to 
the terminal.

-- 
Kelledin
"If a server crashes in a server farm and no one pings it, does 
it still cost four figures to fix?"
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-dev' in the subject header of the message



More information about the lfs-dev mailing list