1st security warning: "installed zlib version may contain asecurity bug"

Ted Mittelstaedt tedm at toybox.placo.com
Sun Jan 30 16:39:28 PST 2005 


> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Lowell Gilbert
> Sent: Sunday, January 30, 2005 7:38 AM
> To: Timothy Luoma
> Cc: FreeBSD-Questions Questions
> Subject: Re: 1st security warning: "installed zlib version may contain
> asecurity bug"
>
>
> Timothy Luoma <lists at tntluoma.com> writes:
>
> > I was trying to configure && make 'clamav-0.81' when it complained
> > about this:
> >
> > configure: error: The installed zlib version may contain a security
> > bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can
> > omit this check with --disable-zlib-vcheck but DO NOT REPORT any
> > stablility issues then!
> >
> > I went to zlib.net, downloaded 1.2.2, did './configure &&
> make install
> > clean'
> >
> > Is that all I need to do?  This is my first "security warning" so I
> > want to make sure I'm not missing something obvious.
>
> It sounds like you're missing the ports collection, to begin with.  It
> will handle dependencies for you, a big help in upgrades.

Lowell,

Considering that /ports/security/clamav was only updated to
clamav 0.81 6 hours ago it is quite expected that the OP would
have tried building this himself.

  And you
> should try to use the FreeBSD base system upgrades and security
> advisories for keeping up on security issues, rather than trying to
> install bits and pieces yourself (unlike, say, Linux, FreeBSD is a
> whole operating system).
>

zlib is part of the base OS it should be at version 1.2.2 in FreeBSD
4.11R,
since version 1.2.2 was released in October 2004.

However, all prior FreeBSD will be at 1.2.1.  And furthermore there is
NO current security advisory on zlib for FreeBSD. I might also point
out that http://www.gzip.org/zlib/ still shows the old zlib.

This is an easy fix.  Download zlib 1.2.2 from http://www.zlib.net
and build it according to the instructions and install it in
/usr/local.  Temporarily rename /usr/lib/libz.a, /usr/lib/libz.so,
/usr/lib/libz.so.2, and /usr/lib/libz_p.a to backup files, build
clamav (this will shutup clamav and allow it to build) then
rename them back.

Keep in mind that this WILL NOT fix the zlib security hole in
the system.  zlib is probably linked into a number of utilities
on your system and a proper fix would be to replace the zlib
library, and recompile all the utilities in the system that
are linked into the static library.

Ted

More information about the freebsd-questions mailing list