The officially official Devuan Forum!

You are not logged in.

#1 2022-03-31 21:12:35

Altoid
Member
Registered: 2017-05-07
Posts: 1,045  

[SOLVED] Zlib crash-an-app bug - does it affect us?

Hello:

This article came up yesterday at ElReg:

Zlib crash-an-app bug finally squashed, 17 years later.
https://www.theregister.com/2022/03/30/ … /?td=rt-4a

It is about a long standing bug in the zlib data-compression library.
Having been reported in 2018, it was never looked at or fixed.
Until now.

https://www.openwall.com/lists/oss-secu … 22/03/24/1

Jessica Lyons Hardcastle @The Register wrote:

A patch is available on Github, and security analysts recommend updating to Zlib version 1.2.12. Linux distros Ubuntu and Alpine, to name two, have also implemented the fix in their latest releases.

Don't know how problematic this can be for the everyday Devuan user.
It has been out there forever ...

Best,

A.

Offline

#2 2022-03-31 21:56:18

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 133  

Re: [SOLVED] Zlib crash-an-app bug - does it affect us?

It has been fixed in Debian for Bookworm and Sid (in zlib 1:1.2.11.dfsg-4).
Stretch, Buster and Bullseye have yet to be fixed.
https://security-tracker.debian.org/tra … ckage/zlib
I expect it will be fixed shortly in the remaining versions and all pulled into the Devuan repositories shortly thereafter.
For now stable and older remain vulnerable and can't yet be updated.

Offline

#3 2022-03-31 22:59:01

Altoid
Member
Registered: 2017-05-07
Posts: 1,045  

Re: [SOLVED] Zlib crash-an-app bug - does it affect us?

Hello:

Marjorie wrote:

... fixed in Debian for Bookworm and Sid ...
... Stretch, Buster and Bullseye have yet to be fixed.
... expect it will be fixed shortly ...
... stable and older remain vulnerable ...

Thanks for the information.
I guess we can wait a bit more, it's been out there forever. ;^)

Best,

A.

Offline

#4 2022-04-02 06:40:21

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 133  

Re: [SOLVED] Zlib crash-an-app bug - does it affect us?

My unattended-upgrades installed a new version of zlib1g:amd64 (1:1.2.11.dfsg-2+deb11u1) from Chimaera-security this morning. This is the zlib runtime.

https://security-tracker.debian.org/tra … ckage/zlib say this is the patched version and say it is no longer vulnerable. Both Buster and Bullseye have now been patched.

Last edited by Marjorie (2022-04-02 06:45:41)

Offline

#5 2022-04-02 10:46:40

Altoid
Member
Registered: 2017-05-07
Posts: 1,045  

Re: [SOLVED] Zlib crash-an-app bug - does it affect us?

Hello:

Marjorie wrote:

... installed a new version of zlib1g:amd64 (1:1.2.11.dfsg-2+deb11u1) from Chimaera-security this morning.

Thanks for the update on this.

Last night I updated my netbook and main box running Beowulf backported and saw the upgrade come in.

The following packages will be upgraded:
  rsyslog zlib1g zlib1g:i386 zlib1g-dev

Seems all is well and right on time as usual with Linux Devuan. 8^D

Best,

A.

Offline

Board footer