A newly disclosed DoS vulnerability is reported to exist in zlib-1.2.1. It has been published openly at the openpkg URL mentioned above. A simple patch is available. I'm not sure whether the patch has been made public. For now I'm marking the bug as a "security problem".
Created attachment 157880 [details] [diff] [review] Patch from CERT zlib patch as received from CERT. Needs to be converted to a mozilla patch.
Assignee: pavlov → glennrp
Status: NEW → ASSIGNED
Reducing severity to normal because zlib-1.2.1 hasn't landed yet. Marking as blocking bug #248644. If someone uses the system lib they might be vulnerable. This issue has been assigned CVE# CAN-2004-0797 and CERT VU #238678.
Severity: major → normal
Oops, 1.2.1 did land recently, see bug #226733 The zlib developers are planning to release version 1.2.2 soon with the vulnerability fixed.
Created attachment 157886 [details] [diff] [review] Patch for zlib-1.2.1 in Mozilla trunk Patch updated to mozilla style; also updates ChangelogMoz, does not update irrelevant contrib file.
Attachment #157880 - Attachment is obsolete: true
Comment on attachment 157886 [details] [diff] [review] Patch for zlib-1.2.1 in Mozilla trunk tor: r?
Attachment #157886 - Flags: review?(tor)
(opening bug since it is already public)
Comment on attachment 157886 [details] [diff] [review] Patch for zlib-1.2.1 in Mozilla trunk sr=dveditz a=dveditz for 1.7 branch
Attachment #157886 - Flags: approval-aviary?
Comment on attachment 157886 [details] [diff] [review] Patch for zlib-1.2.1 in Mozilla trunk email@example.com
Attachment #157886 - Flags: approval-aviary? → approval-aviary+
Clearing 1.7 and aviary blocking flags. Those branches do not have 1.2.1, they're still using 1.1.4
Checked in on trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
zlib 1.2.2 has been released. See bug #248644.
3 years ago
You need to log in before you can comment on or make changes to this bug.