Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow

[John Morton <jwm@plain.co.nz>]

On Tuesday 12 March 2002 15:52, Steve Langasek wrote:

> > 	Doesnt dpkg also compile with a static zlib? Why does it not make
> > this list?
>
> What Internet-accessible port are you running dpkg on? :)
>
> dpkg doesn't normally run on a network port, so exploiting it doesn't
> get you local access unless you already have it; and it's not suid, so
> running it from commandline doesn't let you get root.  Therefore, there
> is no security hole opened by a vulnerability in dpkg.

I think this reasoning is flawed - a vulnerable zlib in dpkg would be 
exploited by a trojaned deb package that someone unwittingly downloads, and 
as dpkg tends to be run as root, that would buy the attacker root privilages. 

Admittedly, as things stand, a trojaned package could do many of those things 
with doctored install scripts anyway, but this vulnerability does matter if 
the package has to be uncompressed just to examine it.

John