On Tue, Mar 12, 2002 at 05:18:34PM +1300, John Morton wrote: > On Tuesday 12 March 2002 15:52, Steve Langasek wrote: > > > Doesnt dpkg also compile with a static zlib? Why does it not make > > > this list? > > What Internet-accessible port are you running dpkg on? :) > > dpkg doesn't normally run on a network port, so exploiting it doesn't > > get you local access unless you already have it; and it's not suid, so > > running it from commandline doesn't let you get root. Therefore, there > > is no security hole opened by a vulnerability in dpkg. > I think this reasoning is flawed - a vulnerable zlib in dpkg would be > exploited by a trojaned deb package that someone unwittingly downloads, and > as dpkg tends to be run as root, that would buy the attacker root privilages. > Admittedly, as things stand, a trojaned package could do many of those things > with doctored install scripts anyway, but this vulnerability does matter if > the package has to be uncompressed just to examine it. True. Regardless of how much of a risk this really is, one of the dpkg maintainers has indicated that a fixed package is on its way. Regards, Steve Langasek postmodern programmer
Attachment:
pgpzC2ajARxvx.pgp
Description: PGP signature