zlib bug

A Guy Called Tyketto tyketto@wizard.com
Thu Mar 14 23:47:01 2002


--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Mar 15, 2002 at 06:10:59PM -0300, Renato Martini wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>=20
>=20
> I read just now the"CERT Advisory CA-2002-07 Double Free Bug in zlib Comp=
ression
> Library" - CA-2002-07, http://www.cert.org/advisories/CA-2002-07.html.
>=20
> The GnuPG uses the zlib library (release 1.1.3), and the
> systems affected are "any  software  that  is  linked  to
> zlib  1.1.3 or earlier", or "data  compression libraries derived from zli=
b 1.1.3 or
> earlier may contain a similar bug".
>=20
>=20
> The gpg is affected by this bug in zlib?
> The zlib library inside the GnuPG package or in the CVS will be changed?

        I'm pretty sure Werner is including zlib 1.1.4 into the next releas=
e=20
(it would be safe to assume so, unless he says otherwise), but it would be =
in=20
one's best interest, to uninstall GnuPG, update your zlib, and recompile Gn=
uPG=20
against it. I played it safe and recompiled against zlib 1.1.4, so I know m=
y=20
binaries aren't affected by the bug.

        Error on the side of caution, and be paranoid. ;)

                                                        BL.
--=20
Brad Littlejohn                         | Email:        tyketto@wizard.com
Unix Systems Administrator,             |           tyketto@ozemail.com.au
Web + NewsMaster, BOFH.. Smeghead! :)   |   http://www.wizard.com/~tyketto
  PGP: 1024D/E319F0BF 6980 AAD6 7329 E9E6 D569  F620 C819 199A E319 F0BF


--7AUc2qLy4jB3hD7Z
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8kSdyyBkZmuMZ8L8RAtgxAKC5vHehrpW20GVwfKP1gko+HATgOwCglAl9
YWJS3ft1pzZZFos4vdAhzPI=
=kULK
-----END PGP SIGNATURE-----

--7AUc2qLy4jB3hD7Z--