Contributed by grey on from the prompt patch posting dept.
Looks like you can crash applications through zlib again, and OpenBSD has promptly released an applicable patch. The vulnerability is caused due to insufficient error handling in the functions "inflate()" and "inflateBack()". 3.5 patch here: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/017_libz.patch.
Of course, be sure to check http://www.openbsd.org/errata.html for additional details. The word from Brad Smith is that 3.4 is unaffected.
(Comments are closed)
By Bert (203.215.101.75) on
Comments
By grey (207.215.223.2) on
Comments
By Norbert P. Copones (203.215.101.75) http://www.feu-nrmf.ph/norbert/ on
By Brad (216.138.200.42) brad at comstyle dot com on
and they're all dynamically linked. if you're on a static arch (hppa, vax, mvme88k) then you'll have to recompile them.
Comments
By Norbert P. Copones (203.215.101.75) on
Comments
By Brad (216.138.200.42) brad at comstyle dot com on
By hans (137.186.220.128) on
By van (81.1.215.2) on
Comments
By van (81.1.215.2) on
By Ian McWilliam (220.240.54.229) on
Comments
By Otto (213.84.84.111) otto@drijf.net on http://www.drijf.ney
Patches are only released for things that are considered critical. We want to keep the number of patches and the amount of code affected as small as possible.
The stable branches also contain stuff that is important, but not as critical.
The userland libz is used to process foreign files; files that come from potentially untrusted sources on the net. The kernel libz is only used for boot code, which processes local, trusted files. So that makes the kernel libz fix not as critical as the userland libz fix.
Comments
By Ian McWilliam (220.240.54.229) on
Comments
By Otto (213.84.84.111) otto@drijf.net on http://www.drijf.net
By Brad (216.138.200.42) brad at comstyle dot com on