Closed Bug 258009 Opened 20 years ago Closed 20 years ago

DoS vulnerability in zlib-1.2.1

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: glennrp+bmo, Assigned: glennrp+bmo)

References

(
URL
)

Details

(Whiteboard: [sg:fix])

Attachments

(1 file, 1 obsolete file)

Patch for zlib-1.2.1 in Mozilla trunk
1.87 KB, patch
tor
: review+
dveditz
: superreview+
Details | Diff | Splinter Review 
A newly disclosed DoS vulnerability is reported to exist in zlib-1.2.1.
It has been published openly at the openpkg URL mentioned above.

A simple patch is available.  I'm not sure whether the patch has been made
public.  For now I'm marking the bug as a "security problem".
Attached patch Patch from CERT (obsolete) — Splinter Review 
zlib patch as received from CERT.  Needs to be converted to a mozilla patch.
Assignee: pavlov → glennrp
Status: NEW → ASSIGNED
Reducing severity to normal because zlib-1.2.1 hasn't landed yet.  Marking
as blocking bug #248644.  If someone uses the system lib they might be vulnerable.
This issue has been assigned CVE# CAN-2004-0797 and CERT VU #238678.
Severity: major → normal
Oops, 1.2.1 did land recently, see bug #226733

The zlib developers are planning to release version 1.2.2 soon with the
vulnerability fixed.
Patch updated to mozilla style; also updates ChangelogMoz, does not update
irrelevant contrib file.
Attachment #157880 - Attachment is obsolete: true
Comment on attachment 157886 [details] [diff] [review]
Patch for zlib-1.2.1 in Mozilla trunk

tor: r?
Attachment #157886 - Flags: review?(tor)
Flags: blocking1.7.x+
Flags: blocking-aviary1.0PR+
Attachment #157886 - Flags: review?(tor) → review+
(opening bug since it is already public)
Group: security
Comment on attachment 157886 [details] [diff] [review]
Patch for zlib-1.2.1 in Mozilla trunk

sr=dveditz
a=dveditz for 1.7 branch
Attachment #157886 - Flags: superreview+
Attachment #157886 - Flags: approval1.7.x+
Whiteboard: [sg:fix]
Comment on attachment 157886 [details] [diff] [review]
Patch for zlib-1.2.1 in Mozilla trunk

a=ben@mozilla.org
Attachment #157886 - Flags: approval-aviary? → approval-aviary+
Clearing 1.7 and aviary blocking flags. Those branches do not have 1.2.1,
they're still using 1.1.4
Flags: blocking1.7.x+
Flags: blocking-aviary1.0PR+
Checked in on trunk.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
zlib 1.2.2 has been released.  See bug #248644.
Attachment #157886 - Flags: approval1.7.x+
Attachment #157886 - Flags: approval-aviary+
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: