zlib version 1.2.3 was Released long ago, July 18, 2005

Discuss about anything related to the Irrlicht Engine, or read announcements about any significant features or usage changes.
Post Reply
lordcool
Posts: 15
Joined: Thu Jul 13, 2006 8:33 am

zlib version 1.2.3 was Released long ago, July 18, 2005

Post by lordcool »

I read the news, zlib 1.2.2 has a highly critical security problem. because of buffer overflow.

Still, Irrlicht 1.1 use 1.2.2.

http://www.zlib.net/
Mancuso Raffaele
Posts: 70
Joined: Sat Dec 17, 2005 4:43 pm
Location: licata (AG) italy
Contact:

Post by Mancuso Raffaele »

"Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately. The following important fixes are provided in zlib 1.2.3 over 1.2.1 and 1.2.2"
so?
Bye all,
Mancuso Raffaele (Ares FPS game)
vitek
Bug Slayer
Posts: 3919
Joined: Mon Jan 16, 2006 10:52 am
Location: Corvallis, OR

Post by vitek »

That means that there is a chance that someone could exploit the vulnerability to cause problems.

Imagine the following scenerio... Irrlicht is used to write a multiplayer online game that allows user map generation and sharing. The map files are written out by an external program and saved with all of the map data in a zip archive.

Some turd finds out that Irrlicht is using an unsafe version of zlib so he makes a zip that exploits the known vulnerability. It uses a buffer overflow to do something dastardly like delete files, install a trojan, or open up a backdoor. Not good.

Granted that it is not likely to be a problem, there is always the potential. It should not be difficult to swap in the new version of zlib for the next version either, so why not just do it?

Travis
Post Reply