From owner-freebsd-bugs@FreeBSD.ORG  Mon Nov 14 16:40:28 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 89EC016A41F
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 14 Nov 2005 16:40:28 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B716843D5C
	for <freebsd-bugs@hub.freebsd.org>;
	Mon, 14 Nov 2005 16:40:25 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jAEGePos036760
	for <freebsd-bugs@freefall.freebsd.org>; Mon, 14 Nov 2005 16:40:25 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jAEGePOZ036759;
	Mon, 14 Nov 2005 16:40:25 GMT (envelope-from gnats)
Resent-Date: Mon, 14 Nov 2005 16:40:25 GMT
Resent-Message-Id: <200511141640.jAEGePOZ036759@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	"Jukka A. Ukkonen" <jau@iki.fi>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id DED1416A41F
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 14 Nov 2005 16:38:59 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 98BE143D46
	for <freebsd-gnats-submit@FreeBSD.org>;
	Mon, 14 Nov 2005 16:38:59 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jAEGcxE0024130
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 Nov 2005 16:38:59 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id jAEGcx85024129;
	Mon, 14 Nov 2005 16:38:59 GMT (envelope-from nobody)
Message-Id: <200511141638.jAEGcx85024129@www.freebsd.org>
Date: Mon, 14 Nov 2005 16:38:59 GMT
From: "Jukka A. Ukkonen" <jau@iki.fi>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: misc/89012: FreeBSD-6.0 is still using zlib-1.2.2
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2005 16:40:28 -0000


>Number:         89012
>Category:       misc
>Synopsis:       FreeBSD-6.0 is still using zlib-1.2.2
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 14 16:40:25 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Jukka A. Ukkonen
>Release:        FreeBSD-6.0-STABLE
>Organization:
private citizen
>Environment:
This report does not refer to an installed FreeBSD-6.0 but to
plain source code review.


>Description:
              The ZLIB origin site (www.zlib.net) states this...
------
Current release:
zlib 1.2.3

July 18, 2005

Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately. The following important fixes are provided in zlib 1.2.3 over 1.2.1 and 1.2.2: 
------

For some odd reason FreeBSD-6.0 seems to be using zlib-1.2.2 though it is claimed
to carry security issues.

>How-To-Repeat:
              Either look into the source tree /usr/src/lib/libz/zlib.h or
on systems with FreeBSD-6.0 already installed look into /usr/include/zlib.h.

There are lines like...

#define ZLIB_VERSION "1.2.2"
#define ZLIB_VERNUM 0x1220

though for zlib-1.2.3 they should be ...

#define ZLIB_VERSION "1.2.3"
#define ZLIB_VERNUM 0x1230


>Fix:
              AFAIK zlib-1.2.3 should be a drop in replacement for 1.2.2
unless the original source files have been mutilated while imported to the
FreeBSD source tree.
Simply replace the 1.2.2 source files using the current 1.2.3 source files,
re-compile, and re-install.


>Release-Note:
>Audit-Trail:
>Unformatted: