15 years ago
3 years ago


(Reporter: tor, Assigned: tor)


Dependency tree / graph

Firefox Tracking Flags

(Not tracked)



(1 attachment)



15 years ago
It appears that so soon after the zlib-1.2.1 fun, we need to upgrade
to zlib-  "What is that?", you might ask after looking at the
zlib homepage and zlib-announce archives and not seeing any mention of
such a beast.

Apparently it's a stealth release, as the only place I've found
tarballs of it are in source packages from various linux
distributions.  Extracted from the Red Hat FC2 srpm, the ChangeLog

    Changes in (9 January 2004)
    - Updated email address in README
    - Several FAQ updates
    - Fixed a big fat bug in inftrees.c that prevented decoding valid
      dynamic blocks with only literals and no distance codes.
    - Add a note to puff.c on no distance codes case.

While this appears to be a somewhat serious update, I'm somewhat
reluctant to apply it to the mozilla tree until I can find an official
source.  The source URL in the fc2 spec points to,
which isn't updated anymore.

Comment 1

14 years ago
I received this from Mark Adler, zlib developer.  I'm changing the
summary of this bug to say 1.2.2 instead of

zlib 1.2.2 is complete.  You can download either of these (signatures 

Summary: Upgrade to zlib → Upgrade to zlib 1.2.2

Comment 2

14 years ago
zlib signatures:

MD5(zlib-1.2.2.tar.gz)= 68bd51aaa6558c3bc3fd4890e53413de

SHA1(zlib-1.2.2.tar.gz)= e6ec67108bfd1f321eb4f1bd192b648725219595

Comment 3

14 years ago
Created attachment 161386 [details] [diff] [review]
Upgrade zlib to zlib-1.2.2

I've tested the patch on a FreeBSD/gcc-3.4.2 platform using a fresh checkout of
mozilla from CVS this morning (1) only replacing zlib (2) also using libmng
instead of libpng to support PNG, via the latest patch from bug #18574.  Both
configurations worked fine.

Comment 4

14 years ago
Comment on attachment 161386 [details] [diff] [review]
Upgrade zlib to zlib-1.2.2

tor: r?  Mark Adler says 1.2.2 has been "released":

On Nov 1, 2004, at 6:48 AM, Glenn Randers-Pehrson wrote:
> Is zlib-1.2.2 considered to be "released" now, despite
> still showing zlib-1.2.1?

Yes.  Unfortunately, we have not been able to get Jean-loup's attention 
to update

Attachment #161386 - Flags: review?(tor)

Comment 5

14 years ago
Are the changes important enough that the minimum version in
should be bumped too?

Comment 6

14 years ago
The upgrade fixes CERT VU#238678 CAN-2004-0797 which reports a Denial of
Service vulnerability.  So, yes, the minimum "system" version should be 1.2.2.

Comment 7

14 years ago
Checked in.
Last Resolved: 14 years ago
Resolution: --- → FIXED
Product: Browser → Seamonkey


14 years ago
Attachment #161386 - Flags: review?(tor) → review+


13 years ago
You need to log in before you can comment on or make changes to this bug.