ZLIB and Cygwin (was: Re: ZLIB vulnerability)

disastry@saiknes.lv.NO.SPaM.NET disastry@saiknes.lv.NO.SPaM.NET
Sun Mar 17 12:37:01 2002

Hash: RIPEMD160

Anton Stiglic astiglic@okiok.com wrote:
> > "AthlonRob" <athlonrobnf@cs.com> writes:
> >
> > > Does GnuPG actually include zlib itself, or does it just require you have
> > > zlib on your system, and then utilize that?
> >
> > The source code includes a copy of zlib, but the build process uses
> > the system zlib if available.
> I happen to compile GnuPG under Windows (using Cygwin) where
> I don't have a system zlib, so it uses the one that comes with gnupg.
> The latest version of gnupg, 1.0.6, comes with zlib version 1.1.3
> (which has the vulnerability).  So I replaced the zlib library with
> zlib version 1.1.4 and recompiled my gnupg.
> --Anton

actually you may be wrong:
Cygwin have zlib - cygz.dll
and GPG compiled with Cygwin uses it (I just checked with depends.exe)

so you need newer cygz.dll.
(unless you compile GPG with --with-included-zlib switch)

Disastry  http://disastry.dhs.org/
http://disastry.dhs.org/pgp <----PGP plugins for Netscape and MDaemon
 ^----PGP 2.6.3ia-multi05 (supports IDEA, CAST5, BLOWFISH, TWOFISH,
      AES, 3DES ciphers and MD5, SHA1, RIPEMD160, SHA2 hashes)
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1