From nobody@FreeBSD.org  Mon Nov 14 16:38:59 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DED1416A41F
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 Nov 2005 16:38:59 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 98BE143D46
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 Nov 2005 16:38:59 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jAEGcxE0024130
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 Nov 2005 16:38:59 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jAEGcx85024129;
	Mon, 14 Nov 2005 16:38:59 GMT
	(envelope-from nobody)
Message-Id: <200511141638.jAEGcx85024129@www.freebsd.org>
Date: Mon, 14 Nov 2005 16:38:59 GMT
From: "Jukka A. Ukkonen" <jau@iki.fi>
To: freebsd-gnats-submit@FreeBSD.org
Subject: FreeBSD-6.0 is still using zlib-1.2.2
X-Send-Pr-Version: www-2.3

>Number:         89012
>Category:       bin
>Synopsis:       [libz] FreeBSD-6.0 is still using zlib-1.2.2
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 14 16:40:25 GMT 2005
>Closed-Date:    Mon Sep 25 16:37:15 GMT 2006
>Last-Modified:  Mon Sep 25 16:37:15 GMT 2006
>Originator:     Jukka A. Ukkonen
>Release:        FreeBSD-6.0-STABLE
>Organization:
private citizen
>Environment:
This report does not refer to an installed FreeBSD-6.0 but to
plain source code review.


>Description:
              The ZLIB origin site (www.zlib.net) states this...
------
Current release:
zlib 1.2.3

July 18, 2005

Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately. The following important fixes are provided in zlib 1.2.3 over 1.2.1 and 1.2.2: 
------

For some odd reason FreeBSD-6.0 seems to be using zlib-1.2.2 though it is claimed
to carry security issues.

>How-To-Repeat:
              Either look into the source tree /usr/src/lib/libz/zlib.h or
on systems with FreeBSD-6.0 already installed look into /usr/include/zlib.h.

There are lines like...

#define ZLIB_VERSION "1.2.2"
#define ZLIB_VERNUM 0x1220

though for zlib-1.2.3 they should be ...

#define ZLIB_VERSION "1.2.3"
#define ZLIB_VERNUM 0x1230


>Fix:
              AFAIK zlib-1.2.3 should be a drop in replacement for 1.2.2
unless the original source files have been mutilated while imported to the
FreeBSD source tree.
Simply replace the 1.2.2 source files using the current 1.2.3 source files,
re-compile, and re-install.


>Release-Note:
>Audit-Trail:

From: Kris Kennaway <kris@obsecurity.org>
To: "Jukka A. Ukkonen" <jau@iki.fi>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/89012: FreeBSD-6.0 is still using zlib-1.2.2
Date: Mon, 14 Nov 2005 21:43:09 -0500

 On Mon, Nov 14, 2005 at 04:38:59PM +0000, Jukka A. Ukkonen wrote:
 > 
 > >Number:         89012
 > >Category:       misc
 > >Synopsis:       FreeBSD-6.0 is still using zlib-1.2.2
 > >Confidential:   no
 > >Severity:       serious
 > >Priority:       medium
 > >Responsible:    freebsd-bugs
 > >State:          open
 > >Quarter:        
 > >Keywords:       
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Mon Nov 14 16:40:25 GMT 2005
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Jukka A. Ukkonen
 > >Release:        FreeBSD-6.0-STABLE
 > >Organization:
 > private citizen
 > >Environment:
 > This report does not refer to an installed FreeBSD-6.0 but to
 > plain source code review.
 > 
 > 
 > >Description:
 >               The ZLIB origin site (www.zlib.net) states this...
 > ------
 > Current release:
 > zlib 1.2.3
 > 
 > July 18, 2005
 > 
 > Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately. The following important fixes are provided in zlib 1.2.3 over 1.2.1 and 1.2.2: 
 > ------
 > 
 > For some odd reason FreeBSD-6.0 seems to be using zlib-1.2.2 though it is claimed
 > to carry security issues.
 
 The security issues were fixed without performing a full upgrade to
 1.2.3 (as described in the relevant FreeBSD security advisory).  Do
 you have reason to believe otherwise?
 
 Kris
State-Changed-From-To: open->patched 
State-Changed-By: maxim 
State-Changed-When: Fri Apr 14 15:41:22 UTC 2006 
State-Changed-Why:  
des@ imported zlib 1.2.3 to HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89012 
State-Changed-From-To: patched->closed 
State-Changed-By: maxim 
State-Changed-When: Mon Sep 25 16:36:40 UTC 2006 
State-Changed-Why:  
RELENG_6 got zlib 1.2.3 too. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=89012 
>Unformatted:
