Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Mon, Mar 11, 2002 at 07:50:44PM -0500, Joey Hess wrote:
> Michael Stone wrote:
> > A number of programs either link statically to zlib or include
> > a private copy of zlib code. These programs must also be upgraded
> > to eliminate the zlib vulnerability. The affected packages and fixed
> > versions follow:
> > amaya 2.4-1potato1
> > dictd 1.4.9-9potato1
> > erlang 49.1-10.1
> > freeamp 2.0.6-2.1
> > mirrordir 0.10.48-2.1
> > ppp 2.3.11-1.5
> > rsync 2.3.2-1.6
> > vrweb 1.5-5.1
>
> So how many of these packages actually have a good reason to include their
> own zlib or link statically? This particular security hole is a classic
> example of why doing either with any library is braindead. Shouldn't we
> try to make them all use the standard zlib, dynamically linked?
Most of them have no good reason. rsync and ppp use modified zlib code.
Some of the offending packages link dynamically in woody, and yes, now that
this is public, we should file bugs against the ones which don't, and the
new packages which statically link zlib code.
I have some scripts which I used to find the above packages, which I plan to
run on unstable very soon. I will post the results here for discussion
about filing of bugs.
> I know that some packages I maintain have thier own copy if zlib in them,
> luckily I went with the dynamic library, so they do not appear in the
> above list.
Likewise.
--
- mdz
Reply to: