ZLIB vulnerability

Anton Stiglic astiglic@okiok.com
Fri Mar 15 22:59:01 2002


----- Original Message -----
From: "Florian Weimer" <Weimer@CERT.Uni-Stuttgart.DE>
To: <gnupg-users@gnupg.org>
Sent: Friday, March 15, 2002 1:13 PM
Subject: Re: ZLIB vulnerability


> "AthlonRob" <athlonrobnf@cs.com> writes:
>
> > Does GnuPG actually include zlib itself, or does it just require you
have
> > zlib on your system, and then utilize that?
>
> The source code includes a copy of zlib, but the build process uses
> the system zlib if available.

I happen to compile GnuPG under Windows (using Cygwin) where
I don't have a system zlib, so it uses the one that comes with gnupg.
The latest version of gnupg, 1.0.6, comes with zlib version 1.1.3
(which has the vulnerability).  So I replaced the zlib library with
zlib version 1.1.4 and recompiled my gnupg.

--Anton