[Gllug] Has anyone seen this?
Nix
nix at esperi.demon.co.uk
Fri Mar 15 22:37:01 UTC 2002
On Tue, 12 Mar 2002, will at hellacool.co.uk stated:
> On Tue, Mar 12, 2002 at 02:00:40PM +0000, will wrote:
>> Anyone got any comments?
>
> That would be this:
>
> http://www.linuxsecurity.com/articles/security_sources_article-4582.html
Many of the programs they claim are vulnerable are not, even though they
use zlib.
--- the kernel: The part of it that uses zlib-derived code for ISDN &c is
vulnerable; the part that unzips the kernel isn't. (I think they use
separate copies of zlib; certainly they did in the 2.2 days.)
--- GCC isn't vulnerable. GCC 3 uses zlib to uncompress jar files, and
if you can hand a suitably deformed jar file over to trip this, you
can just put the hostile code *inside* the jar.
However, programs that are compiled by gcj and use Java's gz-
compression may be vulnerable to the bug in this copy. (But gcj in
GCC-3.0 is alpha-quality and not expected to work properly; this is
just an unexpected bug from that viewpoint, and not serious at all.)
But for many programs it's nasty; *sshd* uses it, for goodness' sake...
--
`Frankly I wonder whether you are not writing your posts from underneath a
bridge.' --- Jason Clifford, to a particularly dense troll
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list