VNC zlib Advisory draft 1

Adrian Umpleby a.umpleby "at" ic.ac.uk
Thu, 14 Mar 2002 09:10:10 +0000


>>Product:                ChromiVNC
>>
>>ChromiVNC does not yet implement the Zlib encoding
>>Please remove it from the list
>
>Done.

VNCThing supports zlib encoding, and it looks like the latest (v2.2)
includes v1.1.3 of zlib. I don't know if this particular version of
zlib as compiled on the Mac and used in Classic is vulnerable.
Dair would have to comment on this, and fix it if necessary (and a
fix for the RRE bug would be nice, Dair...?)

As for VNCDimension, I don't recall it having a zlib option - but I
can check a bit later today...

OSXVnc does not include zlib, as far as I can tell. (But, since OSX
has a built-in zlib, it would be fairly straightforward to add this
capability I think -maybe I'll look into it when I have a spare few
hours, along with some of the other things I mentioned in my last
post about OSXVnc...)

Also, note that the zlib included with Mac OS X is not affected by
this particular vulnerability, so as long as any VNC app for OSX
links to the OSX-supplied version, it should be OK.

Apple does not seem to have made any comment about Classic Mac OS.
(Do apps have to include their own zlib if used in Classic, just as
VNCThing has?)

Bye!

Adrian
---------------------------------------------------------------------
To unsubscribe, mail majordomo "at" uk.research.att.com with the line:
'unsubscribe vnc-list' in the message BODY
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------