Jan Engelhardt wrote in
<[email protected]>:
|On Tuesday 2026-02-17 22:21, Simon Josefsson wrote:
|>Sam James <[email protected]> writes:
|>
|>> * ZLB-01-001 WP2: Heap Buffer Overflow via Legacy gzprintf Implementatio\
|>> n (High)
|>
|>That vulnerability seems to require that zlib was built with
|>-DNO_vsnprintf -DNO_snprintf, targetting a system lacking 'snprintf'.
|>
|>Does anyone know of a real-world environment using that configuration?
|
|Does Borland C++ 1.01 for DOS count?
Jörg Schilling documented in ANNOUNCEMENTS/AN-2019-10-25
- libschily: A vsnprintf() implementaton has been added since this is
needed by SunPro Make and missing on Ultrix.
(Twenty+ years ago many projects had snprintf() built-in
fallbacks, often for %m, maybe (not sure) for grazy hexadecimal
grazy FP aka %a/%A. Now i have forgotten what i wanted to add.
Ah! The new zlib release brings a fix for 16-bit integers, so his
sense of real-world seems different from for example mine.)
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
