DoS vulnerability in zlib-1.2.1

VERIFIED FIXED

Status

()

VERIFIED FIXED
14 years ago
3 years ago

People

(Reporter: glennrp+bmo, Assigned: glennrp+bmo)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:fix], URL)

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

14 years ago
A newly disclosed DoS vulnerability is reported to exist in zlib-1.2.1.
It has been published openly at the openpkg URL mentioned above.

A simple patch is available.  I'm not sure whether the patch has been made
public.  For now I'm marking the bug as a "security problem".
(Assignee)

Comment 1

14 years ago
Created attachment 157880 [details] [diff] [review]
Patch from CERT

zlib patch as received from CERT.  Needs to be converted to a mozilla patch.
Assignee: pavlov → glennrp
Status: NEW → ASSIGNED
(Assignee)

Comment 2

14 years ago
Reducing severity to normal because zlib-1.2.1 hasn't landed yet.  Marking
as blocking bug #248644.  If someone uses the system lib they might be vulnerable.
This issue has been assigned CVE# CAN-2004-0797 and CERT VU #238678.
Severity: major → normal
(Assignee)

Comment 3

14 years ago
Oops, 1.2.1 did land recently, see bug #226733

The zlib developers are planning to release version 1.2.2 soon with the
vulnerability fixed.
(Assignee)

Comment 4

14 years ago
Created attachment 157886 [details] [diff] [review]
Patch for zlib-1.2.1 in Mozilla trunk

Patch updated to mozilla style; also updates ChangelogMoz, does not update
irrelevant contrib file.
Attachment #157880 - Attachment is obsolete: true
(Assignee)

Comment 5

14 years ago
Comment on attachment 157886 [details] [diff] [review]
Patch for zlib-1.2.1 in Mozilla trunk

tor: r?
Attachment #157886 - Flags: review?(tor)

Updated

14 years ago
Flags: blocking1.7.x+
Flags: blocking-aviary1.0PR+

Updated

14 years ago
Attachment #157886 - Flags: review?(tor) → review+
(opening bug since it is already public)
Group: security
Comment on attachment 157886 [details] [diff] [review]
Patch for zlib-1.2.1 in Mozilla trunk

sr=dveditz
a=dveditz for 1.7 branch
Attachment #157886 - Flags: superreview+
Attachment #157886 - Flags: approval1.7.x+
Whiteboard: [sg:fix]
Comment on attachment 157886 [details] [diff] [review]
Patch for zlib-1.2.1 in Mozilla trunk

a=ben@mozilla.org
Attachment #157886 - Flags: approval-aviary? → approval-aviary+
Clearing 1.7 and aviary blocking flags. Those branches do not have 1.2.1,
they're still using 1.1.4
Flags: blocking1.7.x+
Flags: blocking-aviary1.0PR+

Comment 10

14 years ago
Checked in on trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
(Assignee)

Comment 11

14 years ago
zlib 1.2.2 has been released.  See bug #248644.

Updated

14 years ago
Attachment #157886 - Flags: approval1.7.x+
Attachment #157886 - Flags: approval-aviary+
(Assignee)

Updated

13 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.