zlib vulnerability affects Java?

Discussions

News: zlib vulnerability affects Java?

  1. zlib vulnerability affects Java? (5 messages)

    zlib, " A Massively Spiffy Yet Delicately Unobtrusive Compression Library," has been updated to 1.2.2 to correct a security vulnerability that might allow an attacker to crash a process or (potentially) execute arbitrary code.

    This is important for Java because zlib is used to manage ZIP compression in the java.util.zip package. Given that most jars are used from external sources, developers and deployers may want to make sure the deployed jars are valid.

    It may also be worth investigating how the JVM leverages zlib; if it's statically linked (which might have been the case in older JVMs), correcting the vulnerability would mean deploying new JVMs entirely. If it's dynamically linked (as in new JVMs), an update to zlib might be in order.

    Incidentally, Mustang's builds (as of b39, at least) have zlib 1.1.3 in the build tree, which does suffer the vulnerability. While Mustang (and, presumably, older versions of the JVM as well) load zlib dynamically, you may want to confirm which version of zlib is being loaded (and, of course, make sure that zlib 1.2.2 is on your system.)

    Threaded Messages (5)

  2. What to make of this?[ Go to top ]

    IMPORTANT NOTE: (July 10, 2005) A new security vulnerability has been discovered in which specially crafted input files can cause inflate to overwrite memory that follows the internal inflate state. This can cause the application to crash depending on what is overwritten. This vulnerability only affects versions 1.2.1 and 1.2.2. of zlib. Earlier versions, e.g. 1.1.4, are not affected.

    (The above is from http://www.zlib.net/)

    Does this mean that 1.2.2 has the bug? And Java is safe because java uses the previous versions?
  3. Doesn't look like it[ Go to top ]

    Incidentally, Mustang's builds (as of b39, at least) have zlib 1.1.3 in the build tree, which does suffer the vulnerability. While Mustang (and, presumably, older versions of the JVM as well) load zlib dynamically, you may want to confirm which version of zlib is being loaded (and, of course, make sure that zlib 1.2.2 is on your system.)

    The zlib site as noted above seems to contradict this advice. It states the older versions (1.1.4 and below) are safe and that the newer versions are not (1.2.1 and 1.2.2)
  4. Both the zlib site and the secunia security advisory directly contradict what the original post says. It is 1.2.1 and 1.2.2 that are vulnerable. Older 1.1.x versions are NOT.
  5. zlib vulnerability affects Java?[ Go to top ]

    oui, the Original is wrong
  6. b[ Go to top ]

    b