zlib version 1.2.3 was Released long ago, July 18, 2005

lordcool · Post by **lordcool** » Thu Aug 24, 2006 1:33 pm

I read the news, zlib 1.2.2 has a highly critical security problem. because of buffer overflow.

Still, Irrlicht 1.1 use 1.2.2.

http://www.zlib.net/

Mancuso Raffaele · Post by **Mancuso Raffaele** » Mon Aug 28, 2006 2:56 pm

"Version 1.2.3 eliminates potential security vulnerabilities in zlib 1.2.1 and 1.2.2, so all users of those versions should upgrade immediately. The following important fixes are provided in zlib 1.2.3 over 1.2.1 and 1.2.2"
so?

vitek · Post by **vitek** » Mon Aug 28, 2006 3:11 pm

That means that there is a chance that someone could exploit the vulnerability to cause problems.

Imagine the following scenerio... Irrlicht is used to write a multiplayer online game that allows user map generation and sharing. The map files are written out by an external program and saved with all of the map data in a zip archive.

Some turd finds out that Irrlicht is using an unsafe version of zlib so he makes a zip that exploits the known vulnerability. It uses a buffer overflow to do something dastardly like delete files, install a trojan, or open up a backdoor. Not good.

Granted that it is not likely to be a problem, there is always the potential. It should not be difficult to swap in the new version of zlib for the next version either, so why not just do it?

Travis