zlib bug

Andrew McDonald andrew@mcdonald.org.uk
Thu Mar 14 23:12:01 2002

On Fri, Mar 15, 2002 at 06:10:59PM -0300, Renato Martini wrote:
> The GnuPG uses the zlib library (release 1.1.3), and the
> systems affected are "any  software  that  is  linked  to
> zlib  1.1.3 or earlier", or "data  compression libraries derived from zlib 1.1.3 or
> earlier may contain a similar bug".
> The gpg is affected by this bug in zlib?
> The zlib library inside the GnuPG package or in the CVS will be changed?

Note that, as you are running Linux, it is quite likely that your gpg is
dynamically linked against the zlib libraries you probably have
installed on your system. You can check this with, e.g.:
admcd@bifrons:~$ ldd $(which gpg)
        libz.so.1 => /usr/lib/libz.so.1 (0x40022000)
        libdl.so.2 => /lib/libdl.so.2 (0x40031000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x40035000)
        libgdbm.so.1 => /usr/lib/libgdbm.so.1 (0x4004a000)
        libc.so.6 => /lib/libc.so.6 (0x40050000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

The libz is zlib. In this case you will want to upgrade the libz you
have installed and gpg will not need recompiling or relinking against
the updated version. Most of the main distributions have already
released updated zlib packages. Consult their security updates pages
for information.

Andrew McDonald
E-mail: andrew@mcdonald.org.uk