Bugtraq mailing list archives

Re: [RHSA-2002:026-35] Vulnerability in zlib library

From: Mark J Cox <mjc () redhat com>
Date: Wed, 13 Mar 2002 22:29:56 +0000 (GMT)

I have used find-zlib perl script [2] (linked from the zlib homepage [3])
to find out which programs use staticly linked zlib and got the
following output on "rpm" binary:


But not all programs that make use of zlib are actually vulnerable in a
useful way.  zlib is only used in RPM for the payload which is only
decompressed on package installation.  Therefore as far as I can tell this
could only be exploited if you are installing a trojan package.  There are
many easier ways for a trojan package to compromise your system.

Cheers, Mark
--
Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation
mjc () redhat com // T: +44 798 061 3110 / F: +44 845 333 9533

Current thread:

Re: [RHSA-2002:026-35] Vulnerability in zlib library helmut g. katzgraber (Mar 12)
- Re: [RHSA-2002:026-35] Vulnerability in zlib library Tomasz Ostrowski (Mar 13)
  - Re: [RHSA-2002:026-35] Vulnerability in zlib library Mark J Cox (Mar 13)
- Re: [RHSA-2002:026-35] Vulnerability in zlib library Pavel Kankovsky (Mar 14)
- <Possible follow-ups>
- [RHSA-2002:026-35] Vulnerability in zlib library bugzilla (Mar 13)