[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] zlib memory corruption on deflate (i.e. compress)
From:       Alan Coopersmith <alan.coopersmith () oracle ! com>
Date:       2022-03-29 21:27:12
Message-ID: 8c6a6c4a-a643-6838-2aad-8911693da9cf () oracle ! com
[Download RAW message or body]

For those who don't monitor the https://www.zlib.net/ home page, version 1.2.12 
was released on Sunday.

	-alan-

On 3/26/22 19:29, Adler, Mark wrote:
> Petr,
> 
> Yes, I will release develop to master. I need to do some portability testing first.
> 
> Mark
> 
> 
>> On Mar 23, 2022, at 10:43 PM, Petr Å tetiar <ynezz@true.cz> wrote:
>>
>> Tavis Ormandy <taviso@gmail.com> [2022-03-23 20:49:49]:
>>
>> [ adding Mark to the Cc: loop ]
>>
>> Hi,
>>
>>> Greetings list, I was recently trying to track down a reproducible crash
>>> in a compressor. Believe it or not, it really was a bug in
>>> zlib-1.2.11 when compressing (not decompressing!) certain inputs.
>>
>> thank you for letting us know!
>>
>>> I reported it upstream, but it turns out the issue has been public since
>>> 2018, but the patch never made it into a release. As far as I know,
>>> nobody ever assigned it a CVE.
>>>
>>> https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
>>>
>>> As far as I can tell, no distros have picked this up.
>>
>> It's mostly due to the fact, that AFAIK it has never hit the release. Mark,
>> would it be please possible to do another point release with that security
>> fix included? Thanks!
>>
>> Cheers,
>>
>> Petr
> 


-- 
         -Alan Coopersmith-                 alan.coopersmith@oracle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris
[prev in list] [next in list] [prev in thread] [next in thread]