@cR0w brb I'll just update the _gazillion_ embedded zlib libraries in ... EVERYTHING

@cR0w @troed zlib 1.3.1.2 is the current version in arch's core package db

@maaneeack

Yeah but don't assume untgz is in there. It's old, the issue is in having to search through every single embedded system to see if _they_ include it ...

@cR0w

Ah. This issue was reported already three years ago and Adler pointed out that anything in contrib/ is not considered part of zlib.

Someone would have needed to clone the repo and go out of their way to also compile untgz and include somewhere. Still something that needs checking I guess, but it's not likely to exist in _many_ places.

"ioapi.c and untgz.c are in the contrib directory, and so are not part of zlib. You can contact the authors of those codes if you like, but in any case they are not vulnerabilities in zlib." - Mark Adler

https://github.com/madler/zlib/issues/754

@maaneeack @cR0w

@troed @maaneeack @cR0w The person who posted this also posted a bunch of other stuff in different projects. This is their "repro" for MongoDB:

```
./mdb_load -T /tmp/lmdb_asan < [crash_input_file]
```

...but I don't see `crash_input_file` anywhere. I smell slop.

(Source: https://seclists.org/fulldisclosure/2026/Jan/5 )

@cR0w @maaneeack @troed Don't take my word for it, I really didn't have time to dig in, but that's kind of the problem with slop isn't it?

@cR0w @troed @maaneeack this is my new headache today 🥴