Re: [RHSA-2002:026-35] Vulnerability in zlib library

From: Mark J Cox (mjcat_private)
Date: Wed Mar 13 2002 - 14:29:56 PST

Next message: Mandrake Linux Security Team: "MDKSA-2002:023-1 - packages containing zlib update"

Previous message: Brent J. Nordquist: "Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris"
In reply to: Tomasz Ostrowski: "Re: [RHSA-2002:026-35] Vulnerability in zlib library"
Next in thread: Pavel Kankovsky: "Re: [RHSA-2002:026-35] Vulnerability in zlib library"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I have used find-zlib perl script [2] (linked from the zlib homepage [3])
> to find out which programs use staticly linked zlib and got the
> following output on "rpm" binary:

But not all programs that make use of zlib are actually vulnerable in a
useful way.  zlib is only used in RPM for the payload which is only
decompressed on package installation.  Therefore as far as I can tell this
could only be exploited if you are installing a trojan package.  There are
many easier ways for a trojan package to compromise your system.

Cheers, Mark
--
Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation
mjcat_private // T: +44 798 061 3110 / F: +44 845 333 9533

Next message: Mandrake Linux Security Team: "MDKSA-2002:023-1 - packages containing zlib update"
Previous message: Brent J. Nordquist: "Re: OpenSSH rebuild warning: problems avoiding zlib problems in Solaris"
In reply to: Tomasz Ostrowski: "Re: [RHSA-2002:026-35] Vulnerability in zlib library"
Next in thread: Pavel Kankovsky: "Re: [RHSA-2002:026-35] Vulnerability in zlib library"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 19:58:57 PST