Bug#137973: fastjar: static link to insecure zlib
Package: fastjar
Version: 1:3.0.4-2
Severity: grave
Justification: user security hole
Tags: security
fastjar and grepjar both appear to link statically to zlib, so need to
be rebuilt against a zlib1g-dev not vulnerable to the recently announced
security hole.
(Actually, when I configured gcc-3.0 on auric it seemed to end up with
'ZLIBS = $(top_builddir)/../zlib/libz.a -L$(here)/../zlib/', despite the
use of --with-system-zlib. Perhaps src/zlib should be patched to be on
the safe side; diffing zlib_1.1.3-19.diff.gz and zlib_1.1.3-19.1.diff.gz
produces the patch.)
Thanks,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: