Subject: Re: NetBSD Security Advisory 2003-004: Format string vulnerability in zlib gzprintf()
To: Paul Hoffman <firstname.lastname@example.org>
From: David Maxwell <email@example.com>
Date: 03/26/2003 21:39:11
On Wed, Mar 26, 2003 at 02:58:37PM -0800, Paul Hoffman wrote:
> At 1:54 PM -0500 3/26/03, NetBSD Security Officer wrote:
> >* NetBSD 1.6:
> >. . .
> > Alternatively, apply the following patch (with potential offset
> > differences):
> > ftp://ftp.netbsd.org/pub/NetBSD/security/patches/SA2003-004-zlib-1.6.patch
> That works.
> > To patch, re-build and re-install zlib:
> > # cd src/lib/libz
> > # patch < /path/to/SA2003-004-zlib-1.6.patch
> That doesn't. The patch wants gzio.c, but it doesn't exist in the directory:
> . . .
> -rw-r--r-- 1 root wheel 16110 Mar 11 2002 example.c
> -rw-r--r-- 1 root wheel 2186 Oct 26 1999 gzio_compat.c
> -rw-r--r-- 1 root wheel 12502 Mar 11 2002 infblock.c
> . . .
That's very odd. How did you get that particular set of sources? I'd be
curious, since your set seems incomplete.
gzio.c was included in the src at the time of the 1.6 release (in fact,
it has been in the same place since before NetBSD 1.3...) and was at
revision 1.12 at the time of the 1.6 release.
You can see the same here:
One simple method - use this link:
That will download the gzio.c file, including the patch (you can see from
the patch header that it turns 1.12 into 220.127.116.11 - the link above will
give you a complete 18.104.22.168
David Maxwell, firstname.lastname@example.orgemail@example.com -->
(About an Amiga rendering landscapes) It's not thinking, it's being artistic!
- Jamie Woods