Puppy Linux Discussion Forum

[Mathiasdm]

I don't know if zlib is used in puppy, but I thought I'd post it:

http://www.techworld.com/security/news/index.cfm?NewsID=3994

Gentoo Linux has warned of a serious, unpatched security flaw in zlib, a compression library widely used in Linux and Unix applications. The bug could be exploited to crash any application using zlib, and possibly to run malicious code on a system, security experts warned.

Separately, exploit code has appeared for a flaw affecting older versions of Firefox, increasing the risk of active attacks on the browser.

The bug affects zlib 1.2.2, and no patch is available from the zlib project. However, several Linux and Unix vendors immediately issued their own updates for the library, including Ubuntu, Red Hat, Gentoo, Suse, Debian and FreeBSD.

Tavis Ormandy of Gentoo's security audit team discovered the flaw, which the company said could be exploited remotely. "An attacker could construct a malformed data stream, embedding it within network communication or an application file format, potentially resulting in the execution of arbitrary code when decoded by the application using the zlib library," Gentoo said in an advisory.

Independent security firm Secunia said the bug was due to a boundary error in "inftrees.c" when handling corrupted compressed data streams. Secunia marked the flaw as "highly critical" rating, its second most serious rating.

Zlib 1.2.2 itself replaced version 1.2.1, which was affected by a less-serious bug allowing denial of service attacks. The new bug may also affect versions earlier than 1.2.2.

[GuestToo]

Puppy seems to have zlib 1.1.4 ... /lib/libz.so.1.1.4
which shouldn't have that bug

though you can install the latest version if you like
i don't know if there would be compatibility problems or not ... i have it installed and haven't noticed any problems so far ... it's about 60k