Fwd: buffer overrun in zlib 1.1.4
kelledin+LFS at skarpsey.dyndns.org
Sun Apr 27 04:56:11 PDT 2003
On Saturday 26 April 2003 08:07 pm, Gerard Beekmans wrote:
> On February 23, 2003 06:24 pm, Kelledin wrote:
> It's been a while since this issue was brought up. Has anybody
> continued testing this behind the scenes? Does your
> recommendation of adding this patch still stand?
Yup, my recommendation still stands.
The patch made it into OpenPKG, Sorcerer, and a few other distros
as well, after I posted it on bugtraq at . It also passes all
zlib's build-time tests and defeats the one proof-of-concept
code snippet I've seen for the exploit.
OpenPKG also contributed some minor configure check fixes to the
patch; these fixes don't really affect us, but it's only proper
to use a fully correct patch all the same.
The final-revision patch is here:
Once the patch is applied, the book can continue using the same
instructions it's been using. zlib ./configure should
automatically test vsprintf/vsnprintf and echo the results to
"If a server crashes in a server farm and no one pings it, does
it still cost four figures to fix?"
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-dev' in the subject header of the message
More information about the lfs-dev