Bug#137973: fastjar: static link to insecure zlib

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#137973: fastjar: static link to insecure zlib
From: Colin Watson <cjwatson@debian.org>
Date: Tue, 12 Mar 2002 09:16:13 +0000
Message-id: <[🔎] 20020312091613.GA22124@arborlon.riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 137973@bugs.debian.org

Package: fastjar
Version: 1:3.0.4-2
Severity: grave
Justification: user security hole
Tags: security

fastjar and grepjar both appear to link statically to zlib, so need to
be rebuilt against a zlib1g-dev not vulnerable to the recently announced
security hole.

(Actually, when I configured gcc-3.0 on auric it seemed to end up with
'ZLIBS = $(top_builddir)/../zlib/libz.a -L$(here)/../zlib/', despite the
use of --with-system-zlib. Perhaps src/zlib should be patched to be on
the safe side; diffing zlib_1.1.3-19.diff.gz and zlib_1.1.3-19.1.diff.gz
produces the patch.)

Thanks,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]

Reply to:

Follow-Ups:
- Bug#137973: marked as done (fastjar: static link to insecure zlib)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: Re: Bug#123861: Acknowledgement (g++: `ios::ios(const ios &)' is private)
Next by Date: Processed: Re: Bug#137959: blas: FTBFS: test failures on hppa
Previous by thread: Processed: Re: Bug#123861: Acknowledgement (g++: `ios::ios(const ios &)' is private)
Next by thread: Bug#137973: marked as done (fastjar: static link to insecure zlib)
Index(es):
- Date
- Thread