Secunia advisory: http://secunia.com/advisories/15949/ Any program that uses zlib is likely to be effected by this issue. An old list of programs that use zlib is here: http://www.gzip.org/zlib/apps.gz.html. If the program statically links zlib the vendor will need to recompile and issue a patch. If they just ship the dll it may be possible to just replace the zlib.dll or zlib1.dll (on Windows). Usage of zlib is very widespread and almost every major software vendor is using it. It effects Unix, Linux, Mac OS X and Windows machines. A quick file search of "zlib" on one Windows machine turned up the following applications using the zlib dll. No doubt many more applications have it statically linked. BitTorrent Ethereal Trillian Microsoft Office Mozilla HP LaserJet All-in-one Netscape DCplusplus MySql Shareaza WinVNC Here is the patch found on debian.org [1] $ diff -Naur inftrees.c ../zlib-1.2.2.orig/ --- inftrees.c 2005-07-10 13:38:37.000000000 +0100 +++ ../zlib-1.2.2.orig/inftrees.c 2004-09-15 15:30:06.000000000 +0100 @@ -134,7 +134,7 @@ left -= count[len]; if (left < 0) return -1; /* over-subscribed */ } - if (left > 0 && (type == CODES || max != 1)) + if (left > 0 && (type == CODES || (codes - count[0] != 1))) return -1; /* incomplete set */ The BSD flavors and many Linux flavors are already patched. [1] posted to slashdot.org by alan@private
This archive was generated by hypermail 2.1.3 : Sun Jul 10 2005 - 09:13:15 PDT