From: SourceForge.net <no...@so...> - 2009-12-21 23:44:52
|
Patches item #2918870, was opened at 2009-12-21 21:41 Message generated for change (Comment added) made by kichik You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=373087&aid=2918870&group_id=22049 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: NSIS Group: None >Status: Pending Resolution: None Priority: 5 Private: No Submitted By: f0rt (f0rt) Assigned to: Amir Szekely (kichik) Summary: Usage of the zlib compression library provided by the system Initial Comment: Programs statically linked to zlib impose extra work for security related fixes that are also needed for all the embedded copies of zlib. The attached patch changes makensis so that it uses the zlib compression library provided by the system on POSIX systems. ---------------------------------------------------------------------- >Comment By: Amir Szekely (kichik) Date: 2009-12-22 01:44 Message: Are you sure this works? Our zlib library is a modified library that's supposed to have different output format. As for the security threat, we control both the compressor and the decompressor. Any vulnerabilities in the decompressor are (a) not affected by this patch and (b) require modification of the executable file which already allows complete control. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=373087&aid=2918870&group_id=22049 |