Security problem with zlib

David Shaw dshaw at
Sat Jul 9 04:23:51 CEST 2005

On Fri, Jul 08, 2005 at 09:44:32AM +0200, Johan Wevers wrote:
> David Shaw wrote:
> >If you compile GnuPG on a system that has a zlib, the system zlib is
> >used.  Your system zlib may or may not be vulnerable to the recent
> >problem.  If your system zlib is vulnerable, then I strongly recommend
> >that you upgrade :)
> OK, so I assume GnuPG is exploitable with this bug. I assume it is only
> vulnerable when deliberately corrupt data is fed into it, like with a
> buffer overflow (I could not determine if the bug is a buffer overflow,
> although the description suggested it)?

Basically, yes.  It's unclear if the bug is exploitable beyond
crashing the process that is using zlib, but the crash is certainly

Oddly, I haven't seen any mention of this on the zlib main web site -
just on bugtraq and the CVE site.


More information about the Gnupg-users mailing list