Re: [RHSA-2002:026-35] Vulnerability in zlib library

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

On Tue, 12 Mar 2002, helmut g. katzgraber wrote:

> hm... when i look at the rpm list below i notice that redhat 
> seems to be doing the same thing they did last time there was a 
> big upgrade: issue new kernel rpms, forget about the kernel 
> headers. while these might not change, several programs will barf 
> if the directory in which the headers are, does not match the 
> kernel version.... unless they put the headers now in the 
> kernel, which i doubt. a quick check of the 6.2 kernel rpm
> kernel-2.2.19-6.2.15.alpha.rpm shows that

The most interesting thing is that zlib.c has not been touched since
2.2.19-6.2.12. As far as I can tell, the only changes between 6.2.12 and
6.2.15 are two small bugfixes: one for CIPE, another for debug traps (the
latter not mentioned in %changelog...bad RH! no biscuit!).

And to make things even more interesting, one file in the src.rpm,
ipvs-1.0.6-2.2.19.patch, contains a hunk looking a lot like a fix for
some double-free() problem zlib.c. But this patch is not used! They
use ipvs-1.0.8-2.2.19.patch which lacks this particular hunk!

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."