Re: [SECURITY] [DSA 122-1] New zlib & other packages fix buffer overflow
On Tuesday 12 March 2002 15:52, Steve Langasek wrote:
> > Doesnt dpkg also compile with a static zlib? Why does it not make
> > this list?
>
> What Internet-accessible port are you running dpkg on? :)
>
> dpkg doesn't normally run on a network port, so exploiting it doesn't
> get you local access unless you already have it; and it's not suid, so
> running it from commandline doesn't let you get root. Therefore, there
> is no security hole opened by a vulnerability in dpkg.
I think this reasoning is flawed - a vulnerable zlib in dpkg would be
exploited by a trojaned deb package that someone unwittingly downloads, and
as dpkg tends to be run as root, that would buy the attacker root privilages.
Admittedly, as things stand, a trojaned package could do many of those things
with doctored install scripts anyway, but this vulnerability does matter if
the package has to be uncompressed just to examine it.
John
Reply to: