While working on bug #299425, the zlib team has discovered another vulnerability. The fix (by Mark Adler) is to change a couple of settings in inftrees.h: --- 36,47 ---- */ /* Maximum size of dynamic tree. The maximum found in a long but non- ! exhaustive search was 1444 code structures (852 for length/literals ! and 592 for distances, the latter actually the result of an exhaustive search). The true maximum is not known, but the value below is more than safe. */ ! #define ENOUGH 2048 ! #define MAXD 592
Created attachment 188933 [details] [diff] [review] patch from initial comment Attaching patch from initial comment so we can attach appropriate flags
Is this exploitable?
Comment on attachment 188933 [details] [diff] [review] patch from initial comment rs=me, I guess. I don't know this code at all.
Attachment #188933 - Flags: review?(cbiesinger) → review+
Re: comment #2 Mark Adler seems to be more concerned about this one than the previous, probably because it's easier to understand. The team has a demo file that crashes zlib but aren't distributing it right now.
Like the previous bug, this one was apparently introduced in zlib-1.2.0 and does not affect version 1.1.4.
Whoops, the cross reference in my original comment is incorrect. It should say bug #299445. Sorry.
Zlib developers have released zlib-1.2.3 which includes the fix for this and the other recent security bug. At this point we probably should upgrade to 1.2.3 instead of patching the bug. See zlib.net/zlib-1.2.3.tar.gz. Here is the announcement from Mark Adler: All, Thank you very much for your testing. zlib 1.2.3 is available here: http://zlib.net/zlib-1.2.3.tar.gz This is the final version. I would appreciate it if someone could generate zip and dll versions with the same conventions used for the previous release. Thanks. mark MD5(zlib-1.2.3.tar.gz)= debc62758716a169df9f62e6ab2bc634 SHA1(zlib-1.2.3.tar.gz)= 60faeaaf250642db5c0ea36cd6dcc9f99c8f3902 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQBC27A4eD/Njli8r7oRAkknAKDT33PcLS0aTOAK1BhZSmqXUy0LmwCfTQdU WGxs9D/VFnlBbRkM4KQY6X8= =cu2V -----END PGP SIGNATURE-----
I will upgrade mozilla/security/nss/cmd/zlib to zlib 1.2.3 (bug 301212).
Now that zlib-1.2.3 has been released this can be public. Removing security-sensitivity flag.
Someone empowered to do so, please clear the security-sensitive flag.
Zlib-1.2.3 has been released and has been published on the zlib web site, http://www.zlib.net . See bug #301646 for a patch to upgrade modules/zlib
13 years ago
Depends on: 301646
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla1.8beta4
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.