Status

VERIFIED FIXED
15 years ago
3 years ago

People

(Reporter: tor, Assigned: tor)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

15 years ago
It appears that so soon after the zlib-1.2.1 fun, we need to upgrade
to zlib-1.2.1.1.  "What is that?", you might ask after looking at the
zlib homepage and zlib-announce archives and not seeing any mention of
such a beast.

Apparently it's a stealth release, as the only place I've found
tarballs of it are in source packages from various linux
distributions.  Extracted from the Red Hat FC2 srpm, the ChangeLog
states:

    Changes in 1.2.1.1 (9 January 2004)
    - Updated email address in README
    - Several FAQ updates
    - Fixed a big fat bug in inftrees.c that prevented decoding valid
      dynamic blocks with only literals and no distance codes.
    - Add a note to puff.c on no distance codes case.

While this appears to be a somewhat serious update, I'm somewhat
reluctant to apply it to the mozilla tree until I can find an official
source.  The source URL in the fc2 spec points to ftp.info-zip.org,
which isn't updated anymore.

Comment 1

14 years ago
I received this from Mark Adler, zlib developer.  I'm changing the
summary of this bug to say 1.2.2 instead of 1.2.1.1:

zlib 1.2.2 is complete.  You can download either of these (signatures 
below):

     http://www.zlib.net/zlib-1.2.2.tar.gz
     http://www.zlib.net/zlib-1.2.2.tar.bz2

Summary: Upgrade to zlib 1.2.1.1 → Upgrade to zlib 1.2.2

Comment 2

14 years ago
zlib signatures:

MD5(zlib-1.2.2.tar.gz)= 68bd51aaa6558c3bc3fd4890e53413de

SHA1(zlib-1.2.2.tar.gz)= e6ec67108bfd1f321eb4f1bd192b648725219595

Comment 3

14 years ago
Created attachment 161386 [details] [diff] [review]
Upgrade zlib to zlib-1.2.2

I've tested the patch on a FreeBSD/gcc-3.4.2 platform using a fresh checkout of
mozilla from CVS this morning (1) only replacing zlib (2) also using libmng
instead of libpng to support PNG, via the latest patch from bug #18574.  Both
configurations worked fine.

Comment 4

14 years ago
Comment on attachment 161386 [details] [diff] [review]
Upgrade zlib to zlib-1.2.2

tor: r?  Mark Adler says 1.2.2 has been "released":

On Nov 1, 2004, at 6:48 AM, Glenn Randers-Pehrson wrote:
> Is zlib-1.2.2 considered to be "released" now, despite www.zlib.org
> still showing zlib-1.2.1?

Yes.  Unfortunately, we have not been able to get Jean-loup's attention 
to update www.zlib.org.

mark
Attachment #161386 - Flags: review?(tor)
(Assignee)

Comment 5

14 years ago
Are the changes important enough that the minimum version in configure.in
should be bumped too?

Comment 6

14 years ago
The upgrade fixes CERT VU#238678 CAN-2004-0797 which reports a Denial of
Service vulnerability.  So, yes, the minimum "system" version should be 1.2.2.
(Assignee)

Comment 7

14 years ago
Checked in.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Product: Browser → Seamonkey
(Assignee)

Updated

14 years ago
Attachment #161386 - Flags: review?(tor) → review+

Updated

13 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.